Η Check Point Research (CPR) found vulnerabilities in the payment mechanism through Xiaomi Smartphones
ΣIf this is not fixed, an attacker could steal the passwords used to sign the wechatpay control and payment packages. In the worst case, an unauthorized Android app could create and sign one fake payment package.
- Found vulnerabilities in Xiaomi's trusted environment
- Over 1 billion users they could have been affected
- Xiaomi has identified and fixed the security holes
In particular, vulnerabilities were found in Xiaomi's trusted environment, which is responsible for storing and managing sensitive information such as passwords. The devices studied by CPR powered by her chip MediaTek.
Two types of attack
CPR discovered two ways to attack trusted code:
1. From an unauthorized Android app: The user installs a malicious application and launches it. The app extracts the keys and sends a fake payment packet to steal the money
2. If the perpetrator has the target devices in their hands: The attacker roots the device, then degrades the trust environment, and then executes the code to create a fake payment package without an application.
Η CPR responsibly communicated her findings to Xiaomi. Xiaomi has acknowledged and issued fixes.
Ο Slava Makkaveev, Security Researcher, of Check Point commented on:
We managed to hack it WeChat Pay and implement a fully comprehensive demonstration of the breach. Our study marks the first time Xiaomi's trusted apps have been examined for security issues. We immediately shared our findings with Xiaomi, which worked quickly to issue a fix.
Our message to the public is to always make sure your phones are updated to the latest version provided by the manufacturer. If even mobile payments aren't secure, then what is?
Press Release
Do not forget to follow it Xiaomi-miui.gr on Google News to be informed immediately about all our new articles! You can also if you use RSS reader, add our page to your list by simply following this link >> https://news.xiaomi-miui.gr/feed/gn
