Check Point Research has discovered four vulnerabilities in drivers of all MediaTek stocks. The processor designer has since closed it. The security company discovered the vulnerabilities by reverse engineering parts of the firmware.
The leaks are in the dsp, the digital signal processor of all MediaTek-socs, Check Point reports. They turned out to be possible due to a flaw in the Hardware Abstraction Layer, or HAL, of the soc. Before debugging it was still possible to use the command ‘param_file’ to check audio settings by the manufacturer. MediaTek has fixed that vulnerability, CVE-2021-0673, by stopping ‘param_file’ from executing. For ethical reasons, Check Point does not provide full details of the attack.
The error in the HAL allowed the researchers to access the DSP. It runs on a modified version of FreeRTOS. That firmware is normally not available to end users, not even with root or via ‘adb shell’ commands. Then it turned out to be possible to overwrite the memory with random data, causing the drivers to crash. That happened in different ways. The processor designer has also closed those leaks.
MediaTek supplies socs for about 37 percent of new smartphones, making it the market leader for smartphone socs. Especially cheaper phones often have socs from the processor designer on board.