Researchers from Checkpoint have identified three vulnerabilities (CVE-2021-0661, CVE-2021-0662, CVE-2021-0663) in the firmware of MediaTek DSP chips, as well as a vulnerability in the MediaTek Audio HAL audio processing layer (CVE-2021- 0673). In case of successful exploitation of vulnerabilities, an attacker can organize eavesdropping on the user from an unprivileged application for the Android platform.
In 2021, MediaTek accounts for approximately 37% of shipments of specialized chips for smartphones and SoCs (according to other data, in the second quarter of 2021, MediaTek’s share among manufacturers of DSP chips for smartphones was 43%). Among other things, MediaTek DSP chips are used in flagship smartphones by Xiaomi, Oppo, Realme and Vivo. MediaTek chips, based on the Tensilica Xtensa microprocessor, are used in smartphones to perform operations such as processing sound, images and video, in computing for augmented reality systems, computer vision and machine learning, as well as implementing fast charging.
Reverse engineering of firmware for MediaTek DSP chips based on the platform FreeRTOS revealed several ways to execute code on the firmware side and gain control over DSP operations by sending specially designed requests from unprivileged applications for the Android platform. Practical examples of attacks demonstrated on a smartphone Xiaomi Redmi Note 9 5G equipped with SoC MediaTek MT6853 (Dimensity 800U). It is noted that OEMs have already received vulnerability fixes in October MediaTek’s firmware update.
Among the attacks that can be carried out by executing your code at the level of the DSP chip firmware:
- Privilege escalation and bypassing the access control system – invisible capture of data such as photos, videos, call recordings, data from a microphone, GPS, etc.
- Denial of service and malicious actions – blocking access to information, disabling overheating protection during fast charging.
- Hiding malicious activity – creating completely invisible and indelible malicious components that are executed at the firmware level.
- Attaching tags to spy on a user, such as adding subtle tags to an image or video to then link the published data to the user.
The details of the vulnerability in the MediaTek Audio HAL have not yet been disclosed, but the other three vulnerabilities in the DSP firmware are caused by incorrect border checking when processing IPI messages (Inter-Processor Interrupt) sent by the audio_ipi audio driver to the DSP. These problems allow to cause a controlled buffer overflow in handlers provided by the firmware, in which information about the size of the transmitted data was taken from a field inside the IPI packet, without checking the actual size allocated in the shared memory.
To access the driver during the experiments, we used direct ioctls calls or the /vendor/lib/hw/audio.primary.mt6853.so library, which are inaccessible to regular Android applications. However, the researchers found a workaround for sending commands based on using debug options available to third-party applications. The specified parameters can be changed by calling the Android service AudioManager to attack the MediaTek Aurisys HAL libraries (libfvaudio.so), which provide calls to interact with the DSP. To block this workaround, MediaTek removed the ability to use the PARAM_FILE command through AudioManager.