Some ago days Checkpoint researchers released the news that they have identified three vulnerabilities (CVE-2021-0661, CVE-2021-0662, CVE-2021-0663) in the firmware of MediaTek DSP chips, as well as a vulnerability in the audio processing layer of MediaTek Audio HAL (CVE-2021-0673). In case of a successful exploitation of the vulnerabilities, an attacker can organize eavesdropping of the user from a non-privileged application for the Android platform.
In 2021, MediaTek accounts for approximately 37% of shipments of specialized chips for smartphones and SoCs (According to other data, in the second quarter of 2021, MediaTek's share among manufacturers of DSP chips for smartphones was 43%).
Among other things, MediaTek DSP chips They are used in the flagship smartphones of Xiaomi, Oppo, Realme and Vivo. MediaTek chips, based on the Tensilica Xtensa microprocessor, are used in smartphones to perform operations such as sound, image and video processing, in computing for augmented reality systems, computer vision and machine learning, as well as to implement charging. fast.
Reverse Engineering Firmware for DSP Chips from MediaTek based on the FreeRTOS platform revealed various ways to run code on the firmware side and gain control over DSP operations by sending specially crafted requests from non-privileged applications for the Android platform.
Practical examples of attacks were demonstrated on a Xiaomi Redmi Note 9 5G equipped with MediaTek MT6853 SoC (Dimensity 800U). It is noted that OEMs have already received vulnerability fixes in MediaTek's October firmware update.
The goal of our research is to find a way to attack the Android audio DSP. First, we need to understand how Android running on the application processor (AP) communicates with the audio processor. Obviously, there must be a controller that waits for requests from Android user space and then using some kind of interprocessor communication (IPC) forwards these requests to the DSP for processing.
We used a rooted Xiaomi Redmi Note 9 5G smartphone based on the MT6853 (Dimensity 800U) chipset as a test device. The operating system is MIUI Global 12.5.2.0 (Android 11 RP1A.200720.011).
As there are only a few media related drivers featured on the device, it was not difficult to find the driver responsible for the communication between the AP and the DSP.
Among the attacks that can be carried out by executing its code at the firmware level of the DSP chip:
- Access control system bypass and privilege escalation: invisible capture of data such as photos, videos, call recordings, data from a microphone, GPS, etc.
- Denial of service and malicious actions: block access to information, disable overheating protection during fast charging.
- Hide Malicious Activity - Create completely invisible and indelible malicious components that run at the firmware level.
- Attach tags to spy on a user, such as adding subtle tags to an image or video and then linking the posted data to the user.
Details of the vulnerability in MediaTek Audio HAL have yet to be revealed, but las three other vulnerabilities in DSP firmware are caused by an incorrect edge check when processing IPI messages (Inter-Processor Interrupt) sent by the audio_ipi audio driver to the DSP.
These problems make it possible to cause a controlled buffer overflow in the handlers provided by the firmware, in which the information about the size of the transmitted data was taken from a field within the IPI packet, without verifying the actual size allocated in the shared memory.
To access the controller during experiments, we use direct ioctls calls or the /vendor/lib/hw/audio.primary.mt6853.so library, which are inaccessible to regular Android apps. However, the researchers found a solution to send commands based on the use of debugging options available to third-party applications.
The specified parameters can be changed by calling the Android AudioManager service to attack the MediaTek Aurisys HAL libraries (libfvaudio.so), which provide calls to interact with the DSP. To block this solution, MediaTek removed the ability to use the PARAM_FILE command through AudioManager.
Finally if you are interested in knowing more about it, you can check the details In the following link.