Xiaomi’s internal WeChat Pay ecosystem — which caters to over 300 million customers worldwide — could have been hacked to produce payment forgery and a complete compromise of the payment system, Check Point said. With Xiaomi devices making up 14% of all mobile devices worldwide — coming third only to Apple and Samsung in popularity — this exploit could have led to mass-scale hacking and fraud. The vulnerability was fixed by Xiaomi last month, though a “version control” flaw related to this issue is still under repair.
TEE Security Flaw in MediaTek-Powered Xiaomi Phones
MediaTek chip-powered Xiaomi devices dominate the market in China. The security team at Check Point focused on these phones and found a denial of service vulnerability in Xiaomi’s built-in payment system. The flaw was due to a Trusted Execution Environment (TEE) component (Kinibi) caused by an out-of-bound read/write bug that could have been exploited by hackers to launch DDoS attacks. Furthermore, without version control “an attacker can transfer an old version of a trusted app to the device and use it to overwrite the new app file,” Check Point researcher Slava Makkaveev said. The TEE component stores information such as cryptographic keys and user fingerprints used to sign transactions, allowing Xiaomi devices with this chipset to have their own “trusted” applications. The study says this flaw allowed researchers to target Xiaomis’ embedded “Tencent soter” mobile payment integration framework and could have compromised WeChat Pay control and payment packages, ultimately leading to hijacking and forgery via a hacker-controlled Android app. Furthermore, if a hacker had physical access to a Xiaomi device, the device could be rooted and its permissions modified to create a fake payment package. Android rooting is similar to jailbreaking an iPhone, where advanced users can bypass all device restrictions and gain full control of the device (e.g. to install software or change deep system settings).
The Far East: $4 Billion in Mobile Wallet Transactions
The Far East and China made up two-thirds of the world’s mobile payments in 2021, according to Check Point’s study. “Such a huge amount of money certainly attracts the attention of hackers,” researcher Slava Makkaveev said. The trouble is that last year, the Lithuanian government also displayed some cybersecurity and censorship risks relating to China-made Huawei and Xiaomi 5G smartphones. In 2020, Xiaomi underwent scrutiny for some privacy issues with its browsers as well. As mobile payment ecosystems such as Google Pay and Apple Pay are becoming the default in many regions globally, the cybersecurity risks grow exponentially. With that, for the far more populous but less scrutinized Far East, the cybersecurity risks multiply. “No one is scrutinizing trusted applications written by device vendors, such as Xiaomi, instead of by chip manufacturers, even though security management and the core of mobile payments are implemented there,” Makkaveev said. “Our study marks the first time Xiaomi’s trusted applications are being reviewed for security issues.” To ensure you have the latest security updates from your device manufacturer, always check whether automatic updates are enabled. If you prefer the ultimate in mobile device security, it is recommended that you use verified secure smartphones. You will find a host of them in our top five best and most secure smartphones list for 2022.