Multiple security holes have been exposed in MediaTek’s systems-on-a-chip (SoC) that could have allowed a malicious actor to elevate his privileges and execute arbitrary code in the audio processor firmware, allowing attackers to conduct a “massive listening campaign” without the users’ knowledge.
The discovery of the flaws is the result of reverse engineering of the Taiwanese company’s digital audio signal processor (DSP) unit by Israeli cybersecurity firm Check Point Research, ultimately concluding that by pairing them with others Defects present in the libraries of a smartphone manufacturer, the problems discovered in the chip could result in an elevation of local privileges from an Android application.
“A malformed interprocessor message could potentially be used by an attacker to execute and hide malicious code in DSP firmware,” Slava Makkaveev, security researcher at Check Point, said in a report. “Since the DSP firmware has access to the audio data stream, an attack on the DSP could potentially be used to spy on the user. “
Plotted under the names CVE-2021-0661, CVE-2021-0662, and CVE-2021-0663, the three security issues relate to a heap-based buffer overflow in the audio DSP component that could be exploited to gain elevated privileges . The defects affect the MT6779, MT6781, MT6785, MT6853, MT6853T, MT6873, MT6875, MT6877, MT6883, MT6885, MT6889, MT6891, MT6893 and MT8797 chipsets covering Android versions 9.0, 10.0 and 11.0.
“In the audio DSP, there is a possible write out of range due to incorrect limit checking. This could lead to local privilege escalation with the necessary system run privileges. User interaction does not occur. is not required for operation, ”the chipmaker said in a notice released last month.
A fourth issue discovered in the MediaTek aka HAL audio hardware abstraction layer (CVE-2021-0673) was fixed in October and is expected to be published in the MediaTek security bulletin in December 2021.
In a hypothetical attack scenario, a malicious application installed through social engineering means could take advantage of its access to Android’s AudioManager API to target a specialized library – called Android Aurisys HAL – which is configured to communicate with audio drivers on the device and send specially crafted messages, which could result in attack code execution and audio information theft.
MediaTek, after the disclosure, said it has made the appropriate mitigation measures available to all original equipment manufacturers, adding that it has not found any evidence that the loopholes are currently being exploited. Additionally, the company recommended that users update their devices as patches become available and only install apps from trusted marketplaces such as the Google Play Store.