Vulnerabilities in Xiaomi Phones could have led Hackers to Forge Payments
By MYBRANDBOOK
Check Point Research (CPR) identified vulnerabilities in Xiaomi’s mobile payment mechanism. Left unpatched, an attacker could steal private keys used to sign Wechat Pay control and payment packages. Worst case, an unprivileged Android app could have created and signed a fake payment package.
Vulnerabilities were found in Xiaomi's Trusted Environment
Over 1 billion users could have been affected
Xiaomi acknowledged and fixed the security flaws
Check Point Research (CPR) identified vulnerabilities in Xiaomi’s mobile payment mechanism. Left unpatched, an attacker could steal private keys used to sign Wechat Pay control and payment packages. In the worst case, an unprivileged Android app could have created and signed a fake payment package.
Specifically, the vulnerabilities were found in Xiaomi's Trusted Environment, which is responsible for storing and managing sensitive information such as keys and passwords. The devices studied by CPR were powered by MediaTek chips.
Two Attack Paths
CPR discovered two ways to attack the trusted code:
From an unprivileged Android app: The user installs a malicious application and launches it. The app extracts the keys and sends a fake payment packet to steal the money.
If the attacker has the target devices in their hands: The attacker rootes the device, then downgrades the trust environment, and then runs the code to create a fake payment package without an application.
Responsible Disclosure
CPR responsibly disclosed its findings to Xiaomi. Xiaomi acknowledged and issued fixes.
Quote: Slava Makkaveev, Security Researcher at Check Point:
“We discovered a set of vulnerabilities that could allow forging of payment packages or disabling the payment system directly, from an unprivileged Android application. We were able to hack into WeChat Pay and implemented a fully worked proof of concept. Our study marks the first time Xiaomi's trusted applications are being reviewed for security issues.
We immediately disclosed our findings to Xiaomi, who worked swiftly to issue a fix. Our message to the public is to constantly make sure your phones are updated to the latest version provided by the manufacturer. If even mobile payments are not secure, then what is?”
TAC Security becomes Cyber Security Assessor for the App Defen
The cybersecurity company, TAC Security has been selected as a key Cyber ...
InterGlobe’s Rahul Bhatia and C.P. Gurnani together announce
In a move that is set to transform the AI landscape, Rahul Bhatia, Group M...
Download masked Aadhaar to improve privacy
Download a masked Aadhaar from UIDAI to improve privacy. Select masking w...
Sterlite Technologies' Rs 145 crore claim against BSNL rejecte
An arbitrator has rejected broadband technology company Sterlite Technolog...
TP-LINK INDIA PVT LTD.
LUMINOUS POWER TECHNOLOGIES PVT. LTD.
FRESHWORKS TECHNOLOGIES PVT. LTD.
HAVELLS INDIA LTD.
Technology Icons Of India 2023: Ashwini Vaishnaw
Ashwini Vaishnaw is an Indian politician and former IAS officer and is...
Technology Icons Of India 2023: Sachin Bansal
Sachin Bansal’s fintech startup, Navi Technologies, simplifies loan ...
Technology Icons Of India 2023: Nikhil Rathi
Nikhil Rathi, Co-founder & CEO of Web Werks, a global leader in Data C...
RailTel connecting every corner of India
RailTel is an ICT provider and one of the largest neutral telecom infr...
New defence PSUs will help India become self-reliant
MIL, India’s biggest manufacturer and market leader is engaged in Pr...
GSTN aims to integrate indirect tax ecosystem on a shared IT infrastructure
Goods and Services Tax Network (GSTN) has built Indirect Taxation plat...
WPG C&C COMPUTERS & PERIPHERALS PVT. LTD.
WPG C&C Computers & Peripherals (India) was incorporated in 2008 and ...
B D SOFTWARE
BD Software is the distributor of IT security solutions in India. The ...
TECH DATA, A TD SYNNEX COMPANY
Tech Data Corporation was an American multinational distribution compa...