• Tech News
    • Games
    • Pc & Laptop
    • Mobile Tech
    • Ar & Vr
    • Security
  • Startup
    • Fintech
  • Reviews
  • How To
What's Hot

Elementor #32036

January 24, 2025

The Redmi Note 13 is a bigger downgrade compared to the 5G model than you might think

April 18, 2024

Xiaomi Redmi Watch 4 is a budget smartwatch with a premium look and feel

April 16, 2024
Facebook Twitter Instagram
  • Contact
  • Privacy Policy
  • Terms & Conditions
Facebook Twitter Instagram Pinterest VKontakte
Behind The ScreenBehind The Screen
  • Tech News
    1. Games
    2. Pc & Laptop
    3. Mobile Tech
    4. Ar & Vr
    5. Security
    6. View All

    Bring Elden Ring to the table with the upcoming board game adaptation

    September 19, 2022

    ONI: Road to be the Mightiest Oni reveals its opening movie

    September 19, 2022

    GTA 6 images and footage allegedly leak

    September 19, 2022

    Wild west adventure Card Cowboy turns cards into weird and silly stories

    September 18, 2022

    7 Reasons Why You Should Study PHP Programming Language

    October 19, 2022

    Logitech MX Master 3S and MX Keys Combo for Business Gen 2 Review

    October 9, 2022

    Lenovo ThinkPad X1 Carbon Gen10 Review

    September 18, 2022

    Lenovo IdeaPad 5i Chromebook, 16-inch+120Hz

    September 3, 2022

    It’s 2023 and Spotify Still Can’t Say When AirPlay 2 Support Will Arrive

    April 4, 2023

    YouTube adds very convenient iPhone homescreen widgets

    October 15, 2022

    Google finishes iOS 16 Lock Screen widgets rollout w/ Maps

    October 14, 2022

    Is Apple actually turning iMessage into AIM or is this sketchy redesign rumor for laughs?

    October 14, 2022

    MeetKai launches AI-powered metaverse, starting with a billboard in Times Square

    August 10, 2022

    The DeanBeat: RP1 simulates putting 4,000 people together in a single metaverse plaza

    August 10, 2022

    Improving the customer experience with virtual and augmented reality

    August 10, 2022

    Why the metaverse won’t fall to Clubhouse’s fate

    August 10, 2022

    How Apple privacy changes have forced social media marketing to evolve

    October 16, 2022

    Microsoft Patch Tuesday October Fixed 85 Vulnerabilities – Latest Hacking News

    October 16, 2022

    Decentralization and KYC compliance: Critical concepts in sovereign policy

    October 15, 2022

    What Thoma Bravo’s latest acquisition reveals about identity management

    October 14, 2022

    What is a Service Robot? The vision of an intelligent service application is possible.

    November 7, 2022

    Tom Brady just chucked another Microsoft Surface tablet

    September 18, 2022

    The best AIO coolers for your PC in 2022

    September 18, 2022

    YC’s Michael Seibel clarifies some misconceptions about the accelerator • DailyTech

    September 18, 2022
  • Startup
    • Fintech
  • Reviews
  • How To
Behind The ScreenBehind The Screen
Home»Security»Xiaomi Phones TEE Vulnerability Allows Forged Mobile Payments
Security

Xiaomi Phones TEE Vulnerability Allows Forged Mobile Payments

August 15, 2022No Comments3 Mins Read
Facebook Twitter Pinterest LinkedIn Tumblr Email
Latest Hacking News
Share
Facebook Twitter LinkedIn Pinterest Email

Researchers discovered a serious security vulnerability in MediaTek-powered Xiaomi Phones, allowing forged mobile payments due to TEE security issue. Xiaomi patched the vulnerability with June 2022 updates.

Xiaomi TEE Vulnerability Affecting Secure Payments Via Phones

Researchers from Check Point Research (CPR) have shared a detailed report about the security issues in Xiaomi phones. The vulnerability, CVE-2020–14125, allows forging mobile payments, particularly in Xiaomi phones, due to the Trusted Execution Environment (TEE) security issues.

Trusted Execution Environment (TEE) is the secure zone in processors storing sensitive information. TEE allows running trusted apps via a trusted OS, preventing unauthorized access to cryptographic information. Any vulnerability affecting this secure enclave can lead to severe damages, including financial losses and data breaches.

According to CPR, numerous studies have been conducted on the security status of popular TEEs like Qualcomm SEE and Trustonic Kinibi. While Xiaomi phones with Qualcomm chips use QSEE, the ones with MediaTek chips use Kinibi.

As a standard, Xiaomi phones prevent access from unauthorized apps to trusted apps. However, CPR previously discovered that a vulnerability in the ALAC media decoder allowed such communications. This vulnerability may also allow access to Xiaomi’s trusted apps.

About The Newly Discovered Tencent Soter Flaw

In their recent research, CPR researchers evaluated the MediaTek chip-based Xiaomi phones as they remained largely untapped in previous studies. They analyzed the Xiaomi Redmi Note 9T 5G with MIUI Global 12.5.6.0 OS.

This time, the researchers found a vulnerability in the Tencent Soter (CVE-2020-14125). Specifically, Tencent Soter is an embedded mobile payment framework that provides an API for third-party Android apps, like WeChat and AliPay, to integrate payment systems. While this trusted framework ensures verified and secured payments, the vulnerability allows an attacker to extract private keys and forge payments as an underprivileged user.

See also  Xiaomi 13 Lite review: Slim chassis, thin upgrades

Describing how it becomes possible, the researchers stated,

The com.tencent.soter.soterserver system app exports (shares for the public access) the SoterService service, which provides the API to manage the soter keys. The service binds the [email protected] system service to communicate with the soter trusted app.

An unprivileged Android application has no permissions to communicate with the TEE directly, but it can use the SoterService as a proxy. The Java code invokes the initSigh function of the soter app and causes a crash in the trusted app… Therefore, a third-party Android application can easily attack the soter without any user interaction. Xiaomi did not implement an app permission to protect the soter API.

The researchers have elaborated on the technicalities of this vulnerability in their report.

Xiaomi Addressed The Flaw

Following the bug discovery, team CPR contacted Xiaomi officials to report the matter. And now, the researchers have confirmed that Xiaomi released the vulnerability fixes with June 2022 updates. In addition, the relevant third party is also handling the Soter key leak issue, as Xiaomi confirmed.

Hence, all Xiaomi users must ensure that their phones are running on the June 2022 updates or later. However, if immediate updates are not possible, or unless mobile payments are urgent, users can choose to disable mobile payments to prevent any losses.

Let us know your thoughts in the comments.

Source link

Forged mobile payments phones TEE Vulnerability Xiaomi
Share. Facebook Twitter Pinterest LinkedIn Tumblr Email

Related Posts

Xiaomi Redmi Watch 4 is a budget smartwatch with a premium look and feel

April 16, 2024

Motorola’s £89 Moto G04 is the new champion of ultra-cheap phones

April 9, 2024

The Honor Magic 6 Pro is undoubtedly one of the best camera phones you can buy

March 23, 2024

Xiaomi 14 review

March 15, 2024
Add A Comment

Comments are closed.

Editors Picks

iOS 16 takes off, TikTok clones BeReal, social cos go to Congress • DailyTech

September 18, 2022

The Digital Divide Is Coming for You

July 6, 2022

10 Quotes By Famous Startup Founders Explained

November 25, 2022

New Retbleed Speculative Execution Assault Threaten CPU Safety

July 19, 2022

Subscribe to Updates

Get the latest news and Updates from Behind The Scene about Tech, Startup and more.

Top Post

Elementor #32036

The Redmi Note 13 is a bigger downgrade compared to the 5G model than you might think

Xiaomi Redmi Watch 4 is a budget smartwatch with a premium look and feel

Behind The Screen
Facebook Twitter Instagram Pinterest Vimeo YouTube
  • Contact
  • Privacy Policy
  • Terms & Conditions
© 2025 behindthescreen.uk - All rights reserved.

Type above and press Enter to search. Press Esc to cancel.