Checkpoint researchers have identified three vulnerabilities (CVE-2021-0661, CVE-2021-0662, CVE-2021-0663) in MediaTek DSP chip firmware, as well as a vulnerability in the MediaTek Audio HAL (CVE-2021- 0673). In case of successful exploitation of vulnerabilities, an attacker can eavesdrop on a user from an unprivileged application for the Android platform.
In 2021, MediaTek accounts for approximately 37% of shipments of specialized smartphone chips and SoCs (according to other sources, MediaTek's share among smartphone DSP chip manufacturers was 2021% in the second quarter of 43). Including MediaTek DSP chips are used in flagship smartphones by Xiaomi, Oppo, Realme and Vivo. Based on the Tensilica Xtensa microprocessor, MediaTek chips are used in smartphones for operations such as sound, image and video processing, augmented reality, computer vision and machine learning computing, and fast charging.
During the reverse engineering of firmware for MediaTek DSP chips based on the FreeRTOS platform, several ways were found to execute code on the firmware side and gain control over operations in the DSP by sending specially crafted requests from unprivileged applications for the Android platform. Practical examples of attacks are demonstrated on a Xiaomi Redmi Note 9 5G smartphone equipped with SoC MediaTek MT6853 (Dimensity 800U). It is noted that OEMs have already received fixes for vulnerabilities in the October MediaTek firmware update.
Among the attacks that can be carried out by executing your code at the firmware level of the DSP chip:
- Privilege escalation and access control system bypass - discreet capture of data such as photos, videos, call recordings, microphone data, GPS, etc.
- Denial of Service and Malicious Activities - blocking access to information, disabling overheating protection during fast charging.
- Hiding malicious activity - creating completely invisible and unremovable malicious components that run at the firmware level.
- Attaching tags to spy on a user, such as adding subtle tags to an image or video to later link the published data to the user.
Details of the vulnerability in the MediaTek Audio HAL have not yet been disclosed, but the other three vulnerabilities in the DSP firmware are caused by incorrect boundary checking when processing IPI messages (Inter-Processor Interrupt) sent by the audio_ipi audio driver to the DSP. These issues allow controlled buffer overflows to be caused in firmware-provided handlers, in which information about the size of the transmitted data was taken from a field inside the IPI packet, without checking the actual size allocated in shared memory.
To access the driver during the experiments, direct ioctls calls or the /vendor/lib/hw/audio.primary.mt6853.so library were used, which are inaccessible to ordinary Android applications. However, the researchers found a workaround for sending commands based on the use of debugging options available to third-party applications. These parameters can be changed by calling the AudioManager Android service to attack the MediaTek Aurisys HAL libraries (libfvaudio.so) that provide calls for interacting with the DSP. To block this workaround, MediaTek has removed the ability to use the PARAM_FILE command through the AudioManager.
Source: opennet.ru