cxo voice
  • Home
  • News
  • Leaders Talk
  • Expert Opinion
No Result
View All Result
  • Home
  • News
  • Leaders Talk
  • Expert Opinion
No Result
View All Result
Leaders Talk and Latest Tech News | CXO VOICE
No Result
View All Result
Home News Cyber Security

Xiaomi Fixes the Security Flaws In Its Mobile Payment Mechanism

News Desk by News Desk
August 13, 2022
Reading Time: 3 mins read
Security flaws Xiaomi
Share on FacebookShare on Twitter

Check Point Research (CPR) recognized the security flaws in Xiaomi’s mobile payment mechanism. The vulnerabilities were in Xiaomi’s Trusted Environment, which is reliable for storing and processing sensitive data such as keys and passwords. CPR responsibly revealed its findings to Xiaomi, which acknowledged and fixed the security flaws. 

Over 1 billion users could have been affected, an attacker could steal private keys used to sign Wechat Pay control and payment packages. In the most ominous case, an unprivileged Android app could have created and signed a fake payment package. The devices studied by CPR were powered by MediaTek chips. 

CPR main findings

Entrusted apps on Xiaomi phone can be downgraded

Xiaomi can embed and sign their own entrusted applications. CPR findings show that an attacker can reposition an old version of a trusted app to the device and use it to overwrite the new app file. Therefore, an attacker can bypass security fixes made by Xiaomi or MediaTek in trusted apps by downgrading them to unpatched versions. CPR found several vulnerabilities in the thhadmin trusted app, which is responsible for security management that could be exploited to leak stored keys or to execute code in the context of the app and then practically perform malicious forged actions.

Embedded mobile payment framework compromised.

Xiaomi devices have an embedded mobile payment framework named Tencent Soter that provides an API for third-party Android applications to integrate the payment capabilities. Its primary function is to provide the ability to verify payment packages transferred between a mobile application and a remote backend server which are essentially the security and safety we all count on when we perform mobile payments.

According to Tencent, hundreds of millions of Android devices support Tencent soter.

The security flaws CPR found, which Xiaomi assigned CVE-2020-14125, ultimately compromised the Tencent soter platform, allowing an unauthorized user to sign fake payment packages.

ADVERTISEMENT

Two Attack Paths

CPR discovered two ways to attack the trusted code: 

1. From an unprivileged Android app: The user installs a malicious application and launches it. The app extracts the keys and sends a fake payment packet to steal the money.

2. If the attacker has the target devices in their hands: The attacker rootes the device, then downgrades the trust environment and then runs the code to create a fake payment package without an application.

Slava Makkaveev, Security Researcher at Check Point, said, “We discovered a set of vulnerabilities that could allow forging of payment packages or disabling the payment system directly from an unprivileged Android application. We were able to hack into WeChat Pay and implemented a fully worked proof of concept. Our study marks the first time Xiaomi’s trusted applications are being reviewed for security issues. We immediately disclosed our findings to Xiaomi, who worked swiftly to issue a fix. Our message to the public is to constantly make sure your phones are updated to the latest version provided by the manufacturer. If even mobile payments are not secure, then what is?”

Also Read: Remote Work Needs a Redesigned Enterprise Network to Strengthen Cybersecurity

News Desk

News Desk

by CXO VOICE team memebrs, contact@cxovoice.com

Related Posts

Cybersecurity While Working from Home amid Coronavirus outbreak
Cyber Security

Hackers targeted Google, Microsoft products via zero-day exploitation in 2022: Report

March 22, 2023
AI chatbots
Cyber Security

Avoid AI chatbots that don’t appear on the company’s website or app: warn researchers

March 14, 2023
security
Cyber Security

US issued new cybersecurity strategy, puts onus on Big Tech firms

March 3, 2023
80% of Indian firms face cyber attacks due to miscommunication in IT security
Cyber Security

80% of Indian firms face cyber attacks due to miscommunication in IT security

February 20, 2023
Cyber Criminals
Cryptocurrency

Cyber agency warns of huge global attack

February 6, 2023
How to remove a virus from a phone?
Cyber Security

How to remove virus from phone?

January 23, 2023
Zero click attacks
Cyber Security

T-Mobile data breach, 37 mn customer’s data stolen

January 20, 2023
cyber security initiatives by Government of India
Cyber Security

Hackers accessed employees’ data in ransomware attack: The Guardian

January 12, 2023
Load More
ADVERTISEMENT

Expert Views

Credentials database theft, reused passwords dangerous entryway
Cyber Security

Can SASE be used as your initial defense against ransomware?

September 12, 2023
Smart Cities challenges and security
Cyber Security

Do our abilities match the ambitions of Smart Cities?

August 23, 2023
Why 5G Network Uptime is Essential for a Digitally Interconnected Society
Opinion

Why 5G Network Uptime is Essential for a Digitally Interconnected Society

July 18, 2023
Responding to cyberbullying with cyber confidence and resilience
Cyber Security

Responding to cyberbullying with cyber confidence and resilience

July 17, 2023
Five Ways All-Flash Data Centers Can Drive Sustainability Goals 
Opinion

Five Ways All-Flash Data Centers Can Drive Sustainability Goals 

July 7, 2023

Latest Updates

Airkit.ai

Salesforce to acquire Airkit.ai to boost AI capabilities

by IANS
1 day ago

Working in a post-pandemic world: What is the new normal?

25 million employees now returning to offices globally in the hybrid work era

by News Desk
1 day ago

Image Credit: Pixabay

IT spending in MENA region to reach $183.8 billion in 2024: Gartner

by News Desk
1 day ago

Samsung Huawei

Samsung, Huawei to drive mass adoption of foldable smartphones next year

by IANS
2 days ago

GenAI

GenAI to generate economic value worth $2.6-$4.4 trillion annually: Report

by IANS
3 days ago

SK hynix

US to ensure S. Korean chipmakers’ smooth operation regarding China curbs

by IANS
3 days ago

Get Latest Update

Subscribe to our mailing list to receives newsletter direct to your inbox!

ADVERTISEMENT

Leaders Inerviews

NewgenOne
Leaders Talk

NewgenONE bridges the gap between business users and IT teams with its low code capability: Varun Goswami

-
Interview with Prasanna Arikala, CTO, Kore.ai on AI chatbots
AI

Can AI chatbots enhance customer experience and reduce the cost of serving customers?

-
Rising cyber attacks pose a serious threat to Indian SMBs, says Zakir Hussain
Cyber Security

Rising cyber attacks pose a serious threat to Indian SMBs, says Zakir Hussain

-
Axis Bank's Cloud-driven digital banking solutions
Banking

Axis Bank doubles down on cloud based digital banking solutions

-

Entrepreneur

Samsung Electronics appoints its first female president

Inspiring Women Entrepreneurs in India (2022)

Technology Adoption For Entrepreneurs

Volunteering management is the need of the Hour

We bring business leaders' opinions and unique ideas on what’s happening in the market and its impact. Also, get the daily news, analysis, and insights.

Connect with us

Easy Links

  • Cryptocurrency
  • Event
  • Blockchain
  • Press Release
  • Resources & Downloads

Write Us

contact@cxovoice.com
  • Home
  • About
  • Contact Us
  • Advertise
  • Privacy & Policy
  • Feedback

© 2023 CXO VOICE

No Result
View All Result
  • Home
  • News
  • Leaders Talk
  • Expert Opinion

© 2023 CXO VOICE

Welcome Back!

Login to your account below

Forgotten Password?

Retrieve your password

Please enter your username or email address to reset your password.

Log In

Add New Playlist

Our Spring Sale Has Started

You can see how this popup was set up in our step-by-step guide: https://wppopupmaker.com/guides/auto-opening-announcement-popups/