Check Point Research (CPR) identified vulnerabilities in Xiaomi’s mobile payment mechanism. Left unpatched, an attacker could steal private keys used to sign Wechat Pay control and payment packages. Worst case, an unprivileged Android app could have created and signed a fake payment package.
Check Point Research (CPR) identified vulnerabilities in Xiaomi’s mobile payment mechanism. Left unpatched, an attacker could steal private keys used to sign Wechat Pay control and payment packages. In the worst case, an unprivileged Android app could have created and signed a fake payment package.
Specifically, the vulnerabilities were found in Xiaomi's Trusted Environment, which is responsible for storing and managing sensitive information such as keys and passwords. The devices studied by CPR were powered by MediaTek chips.
Two Attack Paths
CPR discovered two ways to attack the trusted code:
Responsible Disclosure
CPR responsibly disclosed its findings to Xiaomi. Xiaomi acknowledged and issued fixes.
Quote: Slava Makkaveev, Security Researcher at Check Point:
“We discovered a set of vulnerabilities that could allow forging of payment packages or disabling the payment system directly, from an unprivileged Android application. We were able to hack into WeChat Pay and implemented a fully worked proof of concept. Our study marks the first time Xiaomi's trusted applications are being reviewed for security issues.
We immediately disclosed our findings to Xiaomi, who worked swiftly to issue a fix. Our message to the public is to constantly make sure your phones are updated to the latest version provided by the manufacturer. If even mobile payments are not secure, then what is?”