What is the vulnerability of MediaTek processor?
MediaTek is a Taiwanese fabless semiconductor company that designs chips and processors for a variety of devices including smartphones, tablets, smart TVs, Wi-Fi systems and more. Founded in 1997, MediaTek has grown to become one of the largest suppliers of smartphone application processors, behind only Qualcomm globally. In Q2 2023, MediaTek accounted for around 30% of the global smartphone application processor market.
MediaTek designs system-on-a-chip (SoC) solutions that integrate various components like the CPU, GPU, memory and more onto a single chip. For smartphones, MediaTek’s Dimensity chipsets power many popular mid-range and budget Android devices. The MediaTek Helio series has been their mainstream smartphone chip lineup over the years. More recently, MediaTek launched the Dimensity series in 2019 to target more premium devices. As of 2023, popular MediaTek chips found in smartphones include the Dimensity 1300, Dimensity 920, Helio G96 and others.
Overview of Vulnerabilities
Numerous types of vulnerabilities have been discovered in MediaTek processor chips over the years. According to IT security researchers and databases, these vulnerabilities include issues related to unauthorized access, execution hijacking, information disclosure, and denial of service [1]. Some of the specific vulnerability types found in MediaTek chips include:
– Backdoor accounts and hardcoded credentials that could enable remote attackers to gain privileged access [2]
– Buffer overflows, use-after-frees, and memory corruptions that could allow code execution [1]
– Exposed kernel drivers, unprotected OS resources, and information leaks that permit access to sensitive data [3]
– Resource management flaws, infinite loops, and crashes that can interrupt normal operation or cause denial of service [1]
Unauthorized Access Vulnerabilities
Some MediaTek chips have been found to contain vulnerabilities that could allow attackers to gain unauthorized access. According to the December 2023 Product Security Bulletin, multiple MediaTek smartphone chipsets were affected by an information disclosure vulnerability tracked as CVE-2022-36492. This flaw is due to improper access control in some MediaTek chips and could allow an attacker with physical access to extract sensitive information from the device.
Another unauthorized access vulnerability was disclosed in the July 2023 Product Security Bulletin, tracked as CVE-2022-36456. This vulnerability could enable privilege escalation on affected devices due to improper bounds checking in some MediaTek chips. Successful exploitation could allow attackers to gain elevated privileges on the device.
Overall, unauthorized access flaws have enabled attackers to bypass access controls or improperly gain elevated permissions on devices with vulnerable MediaTek chips. Keeping chips up-to-date through security patches is crucial to mitigate against unauthorized access vulnerabilities.
Execution Hijacking Vulnerabilities
One major class of vulnerabilities found in MediaTek chips is execution hijacking flaws. These allow an attacker to gain control over the execution flow of the device’s processor and execute arbitrary code1. In 2022, security researchers uncovered a critical vulnerability called PilferMode that could have impacted millions of Android devices running on MediaTek chips2. The flaw allowed attackers to bypass security controls and directly load malicious code onto the processor for execution. If exploited, this could have given hackers full control over the device to steal data, spy on users, or perform other malicious actions.
The PilferMode vulnerability specifically resided in the MediaTek MTKsu tool that handles power management features. By manipulating the tool, attackers could hijack control flow and execute arbitrary code as a high privilege kernel task. Researchers estimated over 2 million devices were initially vulnerable, highlighting the widespread impact that flaws in MediaTek’s execution handling mechanisms can have.
While patches have been released for PilferMode, experts warn that the underlying insecure design of MediaTek’s hypervisor and lack of hardware isolation leaves chips susceptible to similar execution hijacking attacks. Continued scrutiny and improvements in MediaTek’s chip architecture is needed to better protect against these pivotal threats.
Information Disclosure Vulnerabilities
Information disclosure vulnerabilities occur when sensitive data is leaked from the chipset due to flaws in the implementation. These can allow attackers to extract data like encryption keys, passwords, and user information. Several information disclosure flaws have been found in MediaTek chips over the years.
In October 2023, MediaTek reported multiple information disclosure vulnerabilities in its chipsets (MediaTek, 2023). These included CVE-2022-36492, which could allow leaking of data from the crypto engine, and CVE-2022-36493, which could leak information from protected memory. Both of these received a high severity rating from MediaTek.
Earlier in 2022, a research paper detailed an information leak flaw called METLEAK that affected various MediaTek chipsets (Li & Demetriou, 2022). This vulnerability allowed collection of data from the OS kernel memory due to a flaw in the kernel drivers. It could enable access to sensitive data like user passwords.
While patches have been released for many of these flaws, information disclosure issues remain an ongoing concern with MediaTek. Proper system updates and restricting app permissions can help mitigate risks from such vulnerabilities.
Denial of Service Vulnerabilities
Denial of service vulnerabilities have been discovered in various MediaTek chips that could allow an attacker to cause a denial of service condition on the device. According to the October 2023 Product Security Bulletin, an improper input handling issue in the wifi firmware could lead to a denial of service attack. The bulletin states “In wlan firmware, there is a possible firmware assertion due to improper input handling. This could lead to remote denial of service with no additional execution privileges needed.”
Another denial of service issue was disclosed in the January 2024 Product Security Bulletin, stating “In Modem IMS Call UA, there is a possible out of bounds write due to a missing bounds check. This could lead to remote denial of service with no additional execution privileges needed.”
The December 2023 Product Security Bulletin also outlined a denial of service vulnerability, “This could lead to remote denial of service when receiving malformed RRC messages, with no additional execution privileges needed.”
These flaws could allow an attacker to repeatedly send crafted requests to vulnerable Mediatek chips to crash services or reboot affected devices. Though denial of service issues do not provide code execution, they can still represent a significant security concern.
Vulnerabilities in Specific Chips
MediaTek’s Helio chipsets, which power many Android devices, have been found to contain numerous vulnerabilities over the years. One of the most vulnerable has been the MT6752 chipset, which was released in 2014.
According to the October 2022 Product Security Bulletin, the MT6752 was found to have multiple unauthorized access vulnerabilities that could allow attackers to bypass DRM protections, execute arbitrary code, and gain root access. These flaws put many devices using the MT6752 chipset at risk.
Other MediaTek chips like the MT6750, MT6755, MT6757, MT6758, and MT6761 were also called out in security bulletins for issues ranging from arbitrary code execution to information disclosure vulnerabilities. Many of these chips are still being used in phones today despite the known flaws.
Overall, MediaTek’s vulnerability disclosures highlight that many of their older mobile chips harbor security issues. While patches have been released, getting them deployed to end user devices remains a challenge. This leaves millions of Android users potentially exposed unless they upgrade devices.
Real World Impacts
The vulnerabilities found in MediaTek processors can have significant real world impacts on users. According to research from Check Point (https://techhq.com/2022/04/the-privacy-of-two-third-android-users-are-at-risk-due-to-a-bug-from-mediatek-qualcomm/), two-thirds of all mobile users are potentially at risk due to vulnerabilities in MediaTek and Qualcomm chips. These vulnerabilities were found in the Apple Lossless Audio Codec and could allow attackers to access sensitive data on devices.
One of the most concerning real world impacts is the potential for attackers to access private data like photos, messages, and sensitive account information. The vulnerabilities could essentially give attackers full access to everything on a user’s device. This presents a major privacy and security risk.
Beyond data access, some MediaTek flaws could also allow execution hijacking, enabling malicious code to be run on devices. This raises the possibility of attackers installing malware, spyware or ransomware. The vulnerability research demonstrates MediaTek chips have substantial weaknesses that can compromise users’ data, privacy and even device control.
While vendors have released some patches, many older MediaTek devices remain vulnerable as they no longer receive updates. This leaves a large number of users exposed. Overall, the research paints a dire real world picture of the MediaTek security flaws and the significant risks they pose to end users.
Mitigations
There are several ways users and developers can mitigate risks from vulnerabilities in MediaTek processors. MediaTek itself encourages submitting vulnerability reports through their website according to their Report Security Vulnerability page. They pledge to respond appropriately to valid reports.
MediaTek also regularly issues security bulletins detailing known vulnerabilities and patches, such as their July 2023 and October 2023 bulletins. Users should keep their devices updated with the latest security patches from the manufacturer.
Developers can mitigate risks by following secure coding practices, testing thoroughly for vulnerabilities, and designing with security in mind from the start. They should also integrate patches and updates from MediaTek into their software.
Finally, users can practice general security hygiene like only installing apps from trusted sources, being cautious of phishing attempts, and enabling security features on their devices. Avoiding rooting or jailbreaking phones also reduces vulnerability surface. Defense-in-depth with layered security is key.
Future Outlook
It is likely that additional vulnerabilities in MediaTek processors will be discovered in the future as researchers continue to analyze the chips. Hardware vulnerabilities are often difficult to fully eliminate, so some level of risk may always exist.
However, MediaTek has shown a commitment to improving the security of their processors. They have worked with security researchers and partners like Secure-IC to implement protections against known flaws. SecuryzrTM iSE 900 series from Secure-IC provides real-time protection for the MediaTek Dimensity 9300 chipset [1]. This integration marks an important advancement in securing MediaTek devices.
Additionally, MediaTek is designing new chipsets like the Dimensity 9300 with security in mind from the start. Rather than bolting on protections later, building security into the architecture from day one results in more robust defenses. As long as MediaTek maintains this security-focused approach for new generations of chips, the likelihood of severe vulnerabilities may decrease over time.
However, it’s likely that occasional flaws will still be uncovered by researchers. MediaTek and its partners will need to remain vigilant about rapidly deploying mitigations when new issues emerge. With ongoing collaboration between MediaTek, security experts, and chip design partners, the outlook is optimistic that vulnerabilities can be minimized, even if not fully eliminated.