Slava Makkaveev is a global cyber security researcher with Check Point Software.
In this interview, Slava Makkaveev offers expert insight into the discovery of a recent chip vulnerability, which affected roughly a third of the world’s mobile phones.
Why did you choose Taiwan’s MediaTek as your research target, rather than widely advertised hardware manufacturers such as Apple or Samsung?
In the past year, MediaTek has become the absolute leader in mobile devices based on the number of devices that use their chips. Of course, the world is familiar with several modern smartphones powered by MediaTek that are overwhelmingly favored over those produced by their competitors. But MediaTek primarily focuses on the mass market, and most of the budget smartphones that are so widespread in Asia are based on MediaTek chips.
The ability to eavesdrop on ordinary people has always interested both individual hackers and government agencies. And if an attacker wants to spy on a massive scale, then the vulnerabilities in MediaTek software are the perfect “in.”
In the study, I tried to discover how easy it was to find a way to eavesdrop on ordinary people like me. I’m very glad that the vulnerabilities I discovered are now patched, which will help to protect such potential victims.
How did MediaTek respond after you submitted your findings to the company?
If you surf the Internet looking for serious vulnerabilities in MediaTek’s software, you won’t find much. Qualcomm and Samsung patch many more severe vulnerabilities monthly than MediaTek. I think this is due to the fact that MediaTek has only recently become a global chip leader, and their proprietary software is not yet as thoroughly reversed-engineered and open to general observation by enthusiasts as is the case with MediaTek’s competitors.
As a result, I guess that MediaTek doesn’t get a lot of vulnerability reports from outside researchers. But they took our submission very seriously. There were no clarifying questions and objections. All the vulnerabilities were fixed within 90 days. In contrast, I’ve reported high rated vulnerabilities to Qualcomm several times, and each time they took over six months to fix the issues.
What level of danger could this vulnerability have introduced to organizations?
It’s theoretically possible to use vulnerabilities in the audio subsystem for commercial espionage. If successfully exploited, the vulnerabilities could be used by cybercriminals to eavesdrop on employees of a targeted organization, which indirectly affects the safety of commercial information. How often do you discuss business issues over the phone?
I want to note that the attacker must have a high level of knowledge in the field of security and social engineering to be able to exploit vulnerabilities and target specific individuals.
What should CISOs tell employees in order to help ensure that this flaw cannot be exploited?
There is nothing new to say here. Because the starting point of the attack is the installation of a malicious Android application on a smartphone, employees should be encouraged to install only the apps they really need and not use third-party app stores. Antivirus applications can also help to detect if a third-party application is trying to access the vulnerable MediaTek API.
And most importantly, all the discovered vulnerabilities have been fixed, so employees should update their phones to get the latest security patch.
Chip vulnerabilities seem common (Intel, Qualcomm…etc). What is the solution, so that enterprises can stay secure?
In short, nothing significant can be done without restricting users’ freedom. When people talk about a vulnerability in a chip, they usually mean a vulnerability in its firmware. Basically, each firmware is a whole operating system. Therefore, it’s naïve to assume that we will not face new chip-related security issues over and over again. Of course, there are many technical ways to prevent exploitation of vulnerabilities even if they are discovered.
And these methods are already embedded in modern firmware. But in the end it’s like a cat and mouse game with the hackers. And hackers sometimes find ways to bypass all defenses and win the game. If you want to protect your enterprise, separate work apps and data from personal apps and data, for example by installing a work profile solution on employee devices.
This will minimize the sets of firmware open to attack and eliminate local privilege escalation vulnerabilities from the hacker’s arsenal. Let the hacker only act remotely.
Force automatic security updates on your devices. There are many vulnerabilities, but responsible vendors fix them right away.
Lastly, be sure to join us at the premier cyber security event of the year – CPX 360 2022. Register now.