Researchers from Check Point Research (CPR) have discovered vulnerabilities into the payment system built into Xiaomi smartphones. Here is all you need to know.
Are you a Xiaomi smartphone user? If yes, you need to be alerted. As per the latest information, a flaw has been discovered in some Xiaomi phone’s mobile payment mechanism that could have cost the users their hard earned money. Now, when very few people prefer carrying cash with them, the most common mode of payment is via UPI. But what if someone steals money from your digital wallet and that without your knowledge? Researchers from Check Point Research (CPR) have discovered vulnerabilities in the payment system built into Xiaomi smartphones that could allow forging of payment packages or disabling the payment system directly, from an unprivileged Android application.
“In this report, CPR (Mobile) researchers analyzed the payment system built into Xiaomi smartphones powered by MediaTek chips, which are very popular in China. During these reviews, we discovered vulnerabilities that could allow forging of payment packages or disabling the payment system directly, from an unprivileged Android application,” CPR said in the blog post.
Mobile payment signatures are carried out in the Trusted execution environment (TEE)
The post informed that mobile payment signatures are carried out in the Trusted execution environment (TEE), which has been an integral part of mobile devices and its main purpose is to process and store sensitive security information such as cryptographic keys and fingerprints. Hence, it is assumed that if the TEE is safe, your payments are secure too. The test device used for the research is the Xiaomi Redmi Note 9T 5G with MIUI Global 220.127.116.11 OS.
The researchers discovered that Xiaomi can embed and sign their own trusted applications. “We found that attacker can transfer an old version of a trusted app to the device and use it to overwrite the new app file. Therefore, an attacker can bypass security fixes made by Xiaomi or MediaTek in trusted apps by downgrading them to unpatched versions,” the report said.
“We discovered several vulnerabilities in the thhadmin trusted app, which is responsible for security management that could be exploited to leak stored keys or to execute code in the context of the app and then, practically perform malicious forged actions,” it added.
CPR further informed that Xiaomi devices have an embedded mobile payment framework named Tencent Soter that provides an API for third-party Android applications to integrate the payment capabilities. Its main function is to provide the ability to verify payment packages transferred between a mobile application and a remote backend server which are essentially the security and safety we all count on when we perform mobile payments.
“The vulnerability we found, which Xiaomi assigned CVE-2020-14125, completely compromises the Tencent soter platform, allowing an unauthorized user to sign fake payment packages,” it said.
The report said that the downgrade issue, which has been confirmed by Xiaomi to belong to a third-party vendor, is being fixed shortly and CPR also recommended mobile users to always update their phone’s OS to the latest version.