Full Report
Mobile transactions could’ve been disabled, created and signed by attackers.
Analysis Summary
# Vulnerability: Remote Compromise of Xiaomi TEE Allowing Payment Forgery
## CVE Details
- CVE ID: CVE-2020-14125
- CVSS Score: High (Score not explicitly stated, but context implies high severity due to payment system compromise)
- CWE: Out-of-bounds Read/Write (Inferred from description)
## Affected Systems
- Products: Xiaomi Handsets utilizing the Trusted Execution Environment (TEE) and configured with MediaTek processors.
- Versions: Unspecified vulnerable versions prior to the June patch.
- Configurations: Specifically affected devices using MediaTek chips, which use a custom Kinibi TEE architecture with Xiaomi's embedded trusted applications (like Tencent Soter).
## Vulnerability Description
The vulnerability resides in Xiaomi's implementation of the Trusted Execution Environment (TEE), specifically within the custom Kinibi TEE architecture used on MediaTek-powered devices. The core flaws were:
1. **Out-of-bound Read/Write:** Leading to a Denial of Service vulnerability (as per NIST description).
2. **Absence of Version Control:** Xiaomi implemented its own format (MCLF variant) for trusted apps without proper version control. This allowed an attacker to downgrade or overwrite newer, patched trusted applications (like Tencent soter) with older, vulnerable versions.
Successful exploitation could allow an unprivileged Android application to:
1. Steal private keys used to sign payment packages.
2. Create and sign forged payment packages, effectively hijacking the mobile payment system (like WeChat Pay).
## Exploitation
- Status: PoC available (Researchers demonstrated a fully worked Proof of Concept against WeChat Pay). Exploitation in the wild is unknown.
- Complexity: Medium/Low (Exploitation possible from an unprivileged Android app or via physical device manipulation/root, depending on the target scenario).
- Attack Vector: Adjacent/Local (Requires installation of a malicious app or physical access to downgrade the TEE).
## Impact
- Confidentiality: High (Stealing private cryptographic keys for signing transactions).
- Integrity: Critical (Ability to create and sign forged payment transactions).
- Availability: High (Denial of Service possible via the out-of-bounds vulnerability).
## Remediation
### Patches
- Xiaomi patched the vulnerability concerning the arbitrary read component in June [Year unclear from text, but the patch occurred before the August 2022 research disclosure].
### Workarounds
- The vendor indicated the version control vulnerability was "being fixed," implying that a complete fix might require further updates beyond the initial June patch.
- Users should ensure all available system and security updates concerning the Trusted Environment are applied.
## Detection
- Indicators of Compromise: Unusual behavior or errors logged within the TEE/payment processing services, though specific IoCs are not detailed as the vulnerability allows silent key theft/forgery.
- Detection Methods and Tools: The primary detection methodology relies on ensuring updated secure applications within the TEE are running the latest, correctly signed versions, verifying version control integrity post-patch deployment.
## References
- Vendor advisories: Xiaomi patch release in June (specific advisory URL not provided).
- Relevant links - defanged:
- research dot checkpoint dot com/2022/researching-xiaomis-tee/
- nvd dot nist dot gov/vuln/detail/CVE-2020-14125
- canalys dot com/newsroom/global-smartphone-market-q2-2022
- statista dot com/statistics/1227576/mobile-wallet-transactions-worldwide/
- threatpost dot com/payment-api-exposes-payment-data/174825/
- threatpost dot com/apple-pay-visa-hacked-locked-iphones/175229/