MY BRAND BOOK Vulnerabilities in Xiaomi Phones could have led Hackers to Forge Payments

Vulnerabilities in Xiaomi Phones could have led Hackers to Forge Payments

By MYBRANDBOOK

Check Point Research (CPR) identified vulnerabilities in Xiaomi’s mobile payment mechanism. Left unpatched, an attacker could steal private keys used to sign Wechat Pay control and payment packages. Worst case, an unprivileged Android app could have created and signed a fake payment package.

Vulnerabilities were found in Xiaomi's Trusted Environment

Over 1 billion users could have been affected

Xiaomi acknowledged and fixed the security flaws

Check Point Research (CPR) identified vulnerabilities in Xiaomi’s mobile payment mechanism. Left unpatched, an attacker could steal private keys used to sign Wechat Pay control and payment packages. In the worst case, an unprivileged Android app could have created and signed a fake payment package.

Specifically, the vulnerabilities were found in Xiaomi's Trusted Environment, which is responsible for storing and managing sensitive information such as keys and passwords. The devices studied by CPR were powered by MediaTek chips.

Two Attack Paths

CPR discovered two ways to attack the trusted code:

From an unprivileged Android app: The user installs a malicious application and launches it. The app extracts the keys and sends a fake payment packet to steal the money.

If the attacker has the target devices in their hands: The attacker rootes the device, then downgrades the trust environment, and then runs the code to create a fake payment package without an application.

Responsible Disclosure

CPR responsibly disclosed its findings to Xiaomi. Xiaomi acknowledged and issued fixes.

Quote: Slava Makkaveev, Security Researcher at Check Point:

“We discovered a set of vulnerabilities that could allow forging of payment packages or disabling the payment system directly, from an unprivileged Android application. We were able to hack into WeChat Pay and implemented a fully worked proof of concept. Our study marks the first time Xiaomi's trusted applications are being reviewed for security issues.

We immediately disclosed our findings to Xiaomi, who worked swiftly to issue a fix. Our message to the public is to constantly make sure your phones are updated to the latest version provided by the manufacturer. If even mobile payments are not secure, then what is?”

BREAKING NEWS

Elon Musk Merges X with xAI in $33 Billion Stock Deal...

Elon Musk has made waves once again by merging X (formerly Twitter) with...

India Strengthens Electronics Supply Chain with ₹22,919 Cr Manu...

The scheme aims to attract an investment of INR 59,350 Cr, resulting in pro...

Govt Drops Import Duty making EV Batteries cheaper...

The Centre is taking measures to counter the impact of US President Donald ...

CERT-In’s New Advisory Unveils Hidden Cyber Threats...

The advisory highlights critical vulnerabilities in AI models, outlines mul...

TECHNO TRENDS

Legal Battle Over IT Act Intensifies Amid Musk’s India Plans

The outcome of the legal dispute between X Corp and the Indian government c...

Wipro inks 10-year deal with Phoenix Group's ReAssure UK worth

The agreement, executed through Wipro and its 100% subsidiary,...

Centre announces that DPDP Rules nearing Finalisation by April

The government seeks to refine the rules for robust data protection, ensuri...

Home Ministry cracks down on PoS agents in digital arrest scam

Digital arrest scams are a growing cybercrime where victims are coerced or ...

E-Magazine

TECHNOTAINMENT

For 2nd Time, Kaspersky announced Mumbai Indians’ Official C

Hrithik Roshan to endorse RuPay as Brand Ambassador

RuPay is reportedly planning to feature Bollywood superstar Hrithik Rosha

India Today Group launches – AI Pop Stars

Staying true to our industry leadership position in using cutting-edge tech

MOVERS & SHAKERS

Cloudflare Promotes Goran Risticevic as VP & MD for APAC

TelioLabs ropes in Phaniraj V A as the Group CEO

TelioLabs has announced the onboarding of Phaniraj V A as its new Group CE

Wipro Appoints Amit Kumar as Managing Partner and Global Head

Wipro Limited (NYSE: WIT, BSE: 507685, NSE: WIPRO), a leading technology s

OPEN YOUR EYES

Ragnar Locker Hides in Virtual Machine to Escape from antivirus software

Digital dividends becomes a challenge to the digital divides.

COVID-19 Crisis Leads To Rising Growth Of Enterprise Collaboration Market

India is moving towards the path of self-reliance

Opportunities For Technological Disruption In Times Of Crisis

INTERVIEWS

Alcatel-Lucent Enterprise Carrying a 100 year legacy ahead

AMD Pensando driving innovation in the DPU architecture space

AMD Pensando stands out in the DPU (Data Processing Unit) market with its u

Alpha Max offers high end solutions in the network space to en

The vision at Alpha Max is to attain quality as the trademark and create a

HOT PICK

ASUS ExpertCenter P500 Mini Tower Desktop PC's launched in Ind

MSI Announces the availability of RTX 50 series of laptops in

MSI, the innovative computing manufacturer in gaming, creator

Nothing Phone (3a) goes on sale today, starting at Rs 19,999

The phone was launched on March 4, featuring a 50MP main, ultra-wide, and t

MAKE IN INDIA BRANDS

GLOBUS INFOCOM LTD.

TATA CONSULTANCY SERVICES

ALPHAMAX TECHNOLOGIES PVT. LTD.

HP INDIA SALES PVT. LTD.

EMINENT CIO'S OF INDIA

AI AND DATA ANALYTICS REVOLUTIONIZING HEALTHCARE SERVICES

...

AGILE TECHNIQUE ENCOURAGES TEAMWORK, ADAPTABILITY, AND CONTINUOUS ITERATION

Several emerging technology trends are significant...

GAINING CUSTOMERS’ TRUST IS ESSENTIAL FOR SMOOTH OMNICHANNEL INTERACTIONS

In the fiscal year 2024-25, our organization has i...

ICONS OF INDIA

ICONS OF INDIA : RISHAD PREMJI

Rishad Premji is Executive Chairman of Wipro Limited, a $11.3 billion ...

Icons Of India : Arundhati Bhattacharya

Arundhati Bhattacharya serves as the Chairperson and CEO of Salesforce...

Icons Of India : Anil Kumar Lahoti

Anil Kumar Lahoti, Chairman, Telecom Regulatory Authority of India (TR...

PARTNER SPEAKERS

Constantly Modifying Services And Strategies To Remain Pertinent And Competitive

The company conducts regular audits and reviews of its brand communication eff...

A "Make in India" brand dedicated to offer high quality communication products

For any brand to be successful, it is crucial that it understands the market d...

PASS Audit – The differentiating facet

Futurenet Technologies collects feedback from customers, vendors and social me...

PSU

DRDO - Defence Research and Development Organisation

DRDO responsible for the development of technology for use by the mili...

NPCI - National Payments Corporation of India

NPCI is an umbrella organization for operating retail payments and set...

TCIL - Telecommunications Consultants India Limited

TCIL is a government-owned engineering and consultancy company...

VIDEOS

Top 25 Brands

Most Trusted Brands 2024 : TECH MAHINDRA

Tech Mahindra positions itself as a company that goes beyond just technology, ...

RELIANCE JIO INFOCOMM LTD.

Reliance Jio commonly known as Jio, has been a significant disruptor in the te...

Most Trusted Brands 2024 : Adobe Inc.

Adobe Creative Cloud is a comprehensive suite of desktop and mobile apps for d...

Global Indian industry

Indian Tech Talent Excelling The Tech World - Rajiv Ramaswami, President & CEO, Nutanix Technologies

Rajiv Ramaswami, President and CEO of Nutanix, brings over 30 years of...

Indian Tech Talent Excelling The Tech World - Anirudh Devgan , President, Cadence Design

Anirudh Devgan, the Global President and CEO of Cadence Design Systems...

Indian Tech Talent Excelling The Tech World - Soni Jiandani, Co-Founder- Pensando Systems

Soni Jiandani, Co-Founder of Pensando Systems, is a tech visionary ren...

ITFORUM 2025

STARNITE AWARDS 2024

CMO of the Year

WOMEN LEADERSHIP

IMAGE GALLERY

TRENDS IN TECHNOLOGY