cxo voice
  • Home
  • News
  • Expert Opinion
  • Leaders Talk
No Result
View All Result
  • Home
  • News
  • Expert Opinion
  • Leaders Talk
No Result
View All Result
Leaders Talk and Latest Tech News | CXO VOICE
No Result
View All Result
Home News Cyber Security

Xiaomi Fixes the Security Flaws In Its Mobile Payment Mechanism

News Desk by News Desk
August 13, 2022
Reading Time: 3 mins read
Security flaws Xiaomi
Share on FacebookShare on Twitter

Check Point Research (CPR) recognized the security flaws in Xiaomi’s mobile payment mechanism. The vulnerabilities were in Xiaomi’s Trusted Environment, which is reliable for storing and processing sensitive data such as keys and passwords. CPR responsibly revealed its findings to Xiaomi, which acknowledged and fixed the security flaws. 

Over 1 billion users could have been affected, an attacker could steal private keys used to sign Wechat Pay control and payment packages. In the most ominous case, an unprivileged Android app could have created and signed a fake payment package. The devices studied by CPR were powered by MediaTek chips. 

CPR main findings

Entrusted apps on Xiaomi phone can be downgraded

Xiaomi can embed and sign their own entrusted applications. CPR findings show that an attacker can reposition an old version of a trusted app to the device and use it to overwrite the new app file. Therefore, an attacker can bypass security fixes made by Xiaomi or MediaTek in trusted apps by downgrading them to unpatched versions. CPR found several vulnerabilities in the thhadmin trusted app, which is responsible for security management that could be exploited to leak stored keys or to execute code in the context of the app and then practically perform malicious forged actions.

Embedded mobile payment framework compromised.

Xiaomi devices have an embedded mobile payment framework named Tencent Soter that provides an API for third-party Android applications to integrate the payment capabilities. Its primary function is to provide the ability to verify payment packages transferred between a mobile application and a remote backend server which are essentially the security and safety we all count on when we perform mobile payments.

According to Tencent, hundreds of millions of Android devices support Tencent soter.

The security flaws CPR found, which Xiaomi assigned CVE-2020-14125, ultimately compromised the Tencent soter platform, allowing an unauthorized user to sign fake payment packages.

ADVERTISEMENT

Two Attack Paths

CPR discovered two ways to attack the trusted code: 

1. From an unprivileged Android app: The user installs a malicious application and launches it. The app extracts the keys and sends a fake payment packet to steal the money.

2. If the attacker has the target devices in their hands: The attacker rootes the device, then downgrades the trust environment and then runs the code to create a fake payment package without an application.

Slava Makkaveev, Security Researcher at Check Point, said, “We discovered a set of vulnerabilities that could allow forging of payment packages or disabling the payment system directly from an unprivileged Android application. We were able to hack into WeChat Pay and implemented a fully worked proof of concept. Our study marks the first time Xiaomi’s trusted applications are being reviewed for security issues. We immediately disclosed our findings to Xiaomi, who worked swiftly to issue a fix. Our message to the public is to constantly make sure your phones are updated to the latest version provided by the manufacturer. If even mobile payments are not secure, then what is?”

Also Read: Remote Work Needs a Redesigned Enterprise Network to Strengthen Cybersecurity

News Desk

News Desk

by CXO VOICE team memebrs, contact@cxovoice.com

Related Posts

How to remove a virus from a phone?
Cyber Security

How to remove virus from phone?

January 23, 2023
Zero click attacks
Cyber Security

T-Mobile data breach, 37 mn customer’s data stolen

January 20, 2023
cyber security initiatives by Government of India
Cyber Security

Hackers accessed employees’ data in ransomware attack: The Guardian

January 12, 2023
Cyber Security

Austrade Education and Future Skills Initiatives and Australia-India Cybersecurity Hackathon Challenge Launched at AIBX 2022 Business Mission Event

October 3, 2022
security
Cyber Security

DigitalOcean says some customer’s email addresses were exposed in a recent Mailchimp security breach

August 17, 2022
Malware and ransomware
Cyber Security

Ways To Mitigate Malware And Ransomware Attacks

August 16, 2022
CyberPeace
Cyber Security

Governor of Jharkhand Launches Ranchi University-IETE-CyberPeace – Center of Excellence (CoE)

August 13, 2022
Remote Work Requires a Redesigned Enterprise Network To Improved Security
Cyber Security

Remote Work Needs a Redesigned Enterprise Network to Strengthen Cybersecurity

August 12, 2022
Load More
ADVERTISEMENT

Expert Views

SaaS Rising: India is Ready for its Next IT Moment
Opinion

SaaS Rising: India is Ready for its Next IT Moment

January 31, 2023
Technology remains the main driver for insurance companies to scale and grow in 2023
News

Technology remains the main driver for insurance companies to scale and grow in 2023

January 10, 2023
Supply Chain Attacks – The Open Source Effect
Cyber Security

Supply Chain Attacks – The Open Source Effect

January 3, 2023
Technology Trends to Watch in 2023
Opinion

Top Technology Trends to Watch in 2023

December 21, 2022
Startups should embrace a down-round and restructure their firms: Flipkart CEO
Business

Startups should embrace a down-round and restructure their firms: Flipkart CEO

November 22, 2022

Latest Updates

Amazon reports $149.2 bn in net sales, faces short-term uncertainty

Amazon reports $149.2 bn in net sales, faces short-term uncertainty

by IANS
2 days ago

AI-Powered video conferencing solutions by Qualcomm

AI-Powered video conferencing solutions by Qualcomm

by Deepa Sharma
3 days ago

Samsung's new PC lineup features 'AI Noise Canceling'

Samsung’s new PC lineup features ‘AI Noise Canceling’

by IANS
3 days ago

union budget 2023-24

Business Leader’s reactions on the union budget 2023-24

by Deepa Sharma
4 days ago

India plans to set up 100 5G labs to develop applications

by IANS
4 days ago

EVs

EV 2-wheeler sales in India to reach 22 mn by 2030: Report

by IANS
4 days ago

Get Latest Update

Subscribe to our mailing list to receives newsletter direct to your inbox!

ADVERTISEMENT

Leaders Inerviews

Axis Bank's Cloud-driven digital banking solutions
Banking

Axis Bank doubles down on cloud based digital banking solutions

-
digital-first strategy
Banking

Jana Small Finance Bank’s digital-first strategy enhances customer experience

-
email security interview
Cyber Security

What is email security? and its importance in securing enterprise networks

-
Cybersecurity Kallol Sil Interview
Cyber Security

Businesses Need To Invest More In Cybersecurity Training and Awareness: Kallol Sil

-

Entrepreneur

Samsung Electronics appoints its first female president

Inspiring Women Entrepreneurs in India (2022)

Technology Adoption For Entrepreneurs

Volunteering management is the need of the Hour

We bring business leaders' opinions and unique ideas on what’s happening in the market and its impact. Also, get the daily news, analysis, and insights.

Connect with us

Easy Links

  • Cryptocurrency
  • Event
  • Blockchain
  • Press Release
  • Resources & Downloads

Write Us

contact@cxovoice.com
  • Home
  • About
  • Contact Us
  • Advertise
  • Privacy & Policy
  • Feedback

© 2023 CXO VOICE

No Result
View All Result
  • Home
  • News
  • Expert Opinion
  • Leaders Talk

© 2023 CXO VOICE

Welcome Back!

Login to your account below

Forgotten Password?

Retrieve your password

Please enter your username or email address to reset your password.

Log In

Add New Playlist

Our Spring Sale Has Started

You can see how this popup was set up in our step-by-step guide: https://wppopupmaker.com/guides/auto-opening-announcement-popups/