Check Point Research (CPR) recognized the security flaws in Xiaomi’s mobile payment mechanism. The vulnerabilities were in Xiaomi’s Trusted Environment, which is reliable for storing and processing sensitive data such as keys and passwords. CPR responsibly revealed its findings to Xiaomi, which acknowledged and fixed the security flaws.
Over 1 billion users could have been affected, an attacker could steal private keys used to sign Wechat Pay control and payment packages. In the most ominous case, an unprivileged Android app could have created and signed a fake payment package. The devices studied by CPR were powered by MediaTek chips.
CPR main findings
Entrusted apps on Xiaomi phone can be downgraded
Xiaomi can embed and sign their own entrusted applications. CPR findings show that an attacker can reposition an old version of a trusted app to the device and use it to overwrite the new app file. Therefore, an attacker can bypass security fixes made by Xiaomi or MediaTek in trusted apps by downgrading them to unpatched versions. CPR found several vulnerabilities in the thhadmin trusted app, which is responsible for security management that could be exploited to leak stored keys or to execute code in the context of the app and then practically perform malicious forged actions.
Embedded mobile payment framework compromised.
Xiaomi devices have an embedded mobile payment framework named Tencent Soter that provides an API for third-party Android applications to integrate the payment capabilities. Its primary function is to provide the ability to verify payment packages transferred between a mobile application and a remote backend server which are essentially the security and safety we all count on when we perform mobile payments.
According to Tencent, hundreds of millions of Android devices support Tencent soter.
The security flaws CPR found, which Xiaomi assigned CVE-2020-14125, ultimately compromised the Tencent soter platform, allowing an unauthorized user to sign fake payment packages.
Two Attack Paths
CPR discovered two ways to attack the trusted code:
1. From an unprivileged Android app: The user installs a malicious application and launches it. The app extracts the keys and sends a fake payment packet to steal the money.
2. If the attacker has the target devices in their hands: The attacker rootes the device, then downgrades the trust environment and then runs the code to create a fake payment package without an application.
Slava Makkaveev, Security Researcher at Check Point, said, “We discovered a set of vulnerabilities that could allow forging of payment packages or disabling the payment system directly from an unprivileged Android application. We were able to hack into WeChat Pay and implemented a fully worked proof of concept. Our study marks the first time Xiaomi’s trusted applications are being reviewed for security issues. We immediately disclosed our findings to Xiaomi, who worked swiftly to issue a fix. Our message to the public is to constantly make sure your phones are updated to the latest version provided by the manufacturer. If even mobile payments are not secure, then what is?”