Home Vulnerabilities on Xiaomi’s mobile payment mechanism

Vulnerabilities on Xiaomi’s mobile payment mechanism

Aug 12 — Around the world, mobile payment represents a very popular means of completing a purchasing transaction. However, mobile payment comes with risk, and the corresponding cyber security threats have become a growing concern as an increasing number of people are turning towards these payment systems.

Mobile payment popularity

Last year, more than $4 billion worth of goods and services were purchased via mobile wallet transactions. Hackers have noticed. They’ve deployed tactics to intercept card security numbers, to deprive merchants of money and to steal cash from mobile wallets.

New report insights

In a new report issued by Check Point Research, analysts investigated the payment system built into Xiaomi smartphones powered by MediaTek chips, which are ubiquitous in certain regions of the world.

Technical overview

Trusted execution environment (TEE) has served as an integral part of mobile devices for years. The purpose of TEE is to process and store sensitive security information, including cryptographic keys and fingerprints.

According to researchers, in the Asian market, no one is scrutinizing trusted applications written by vendors like Xiaomi, despite the fact that security management and the core of mobile payments are implemented there. The new Check Point Research report serves as the first instance where Xiaomi’s trusted applications have been reviewed for security anomalies.

Main findings

Researchers found that Xiomi can embed and sign their own trusted applications. An attacker can transfer an old version of a trusted app to the device and use it to overwrite the new app file. Therefore, an attacker can bypass security fixes made by Xiaomi or MediaTek in trusted apps by downgrading to unpatched versions.

A full detailed report is available on the Check Point Research blog. Lastly, to receive more timely cyber security news, top-tier reports and cutting-edge analyses, please sign up for the cybertalk.org newsletter.