CYBER threat intelligence company Check Point Research said it has discovered vulnerabilities in Xiaomi's mobile payment mechanism.
The company said, if left unpatched, an attacker could steal private keys used to sign Wechat Pay control and payment packages. Worst case, an unprivileged Android app could have created and signed a fake payment package.
According to Check Point Software Technologies security researcher, Slava Makkaveev, the company discovered a set of vulnerabilities that could allow forging of payment packages or disabling the payment system directly, from an unprivileged Android application.
"We were able to hack into WeChat Pay and implemented a fully worked proof of concept. Our study marks the first time Xiaomi's trusted applications are being reviewed for security issues," he said.
Collaborating with Xiaomi
Makkaveev said Check Point Research immediately disclosed its findings to Xiaomi, who then worked swiftly to issue a fix.
"Our message to the public is to constantly make sure your phones are updated to the latest version provided by the manufacturer. If even mobile payments are not secure, then what is?" said Makkaveev.
According to the latest statistics from statistics portal, Statistica, the Far East and China accounted for two-thirds of the world's mobile payments in 2021. This is about US$4 billion in mobile wallet transactions. Such a huge amount of money certainly attracts the attention of hackers.
In this report, CPR (Mobile) researchers analysed the payment system built into Xiaomi smartphones powered by MediaTek chips, which are very popular in China. During these reviews, we discovered vulnerabilities that could allow forging of payment packages or disabling the payment system directly, from an unprivileged Android application.
If the TEE is safe, so are your payments
Trusted execution environment (TEE) has been an integral part of mobile devices for many years. Its main purpose is to process and store sensitive security information such as cryptographic keys and fingerprints.
"Since mobile payment signatures are carried out in the TEE, we assume that if the TEE is safe, so are your payments," said Makkaveev.
The Asian market, mainly represented by smartphones based on MediaTek chips, has still not yet been widely explored.
"No one is scrutinising trusted applications written by device vendors, such as Xiaomi, even though security management and the core of mobile payments are implemented there. Our study marks the first time Xiaomi's trusted applications are being reviewed for security issues," he said.
In its research, Check Point Research focuses on the trusted apps of MediaTek-powered devices. The test device used is the Xiaomi Redmi Note 9T 5G with MIUI Global 12.5.6.0 OS.
Makkaveev said Xiaomi can embed and sign their own trusted applications.
"We found that attacker can transfer an old version of a trusted app to the device and use it to overwrite the new app file. Therefore, an attacker can bypass security fixes made by Xiaomi or MediaTek in trusted apps by downgrading them to unpatched versions," he said.
"We discovered several vulnerabilities in the thhadmin trusted app, which is responsible for security management that could be exploited to leak stored keys or to execute code in the context of the app and then, practically perform malicious forged actions," he added.
He said Xiaomi devices have an embedded mobile payment framework named Tencent Soter that provides an API for third-party Android applications to integrate the payment capabilities. Its main function is to provide the ability to verify payment packages transferred between a mobile application and a remote backend server which are essentially the security and safety we all count on when we perform mobile payments.
WeChat Pay and Alipay are the two largest players in the Chinese digital payment industry. Together, they account for about 95 per cent of the Chinese mobile payments market. Each of these platforms has over 1 billion users. WeChat Pay is based on the Tencent soter. If an app vendor wants to implement his own payment system, including the backend that stores users' credit cards, bank accounts, etc, without being tied to the WeChat app, he can directly use the Tencent soter to verify the authenticity of transactions on its backend server or in other words, specifically, make sure that a payment packet was sent from his app installed on a specific device, and approved by the user.
"The vulnerability we found, which Xiaomi assigned CVE-2020-14125, completely compromises the Tencent soter platform, allowing an unauthorised user to sign fake payment packages," said Makkaveev.
Issue addressed by Xiaomi
After our disclosure and collaboration, this vulnerability has been patched by Xiaomi in June 2022.
The downgrade issue, which has been confirmed by Xiaomi to belong to a third-party vendor, is being fixed shortly.
"We recommend mobile users to always update their phone's OS to the latest version," said Makkaveev.