Check Point research has discovered MediaTek Systems on a chip (SoCs) are embedded in approximately 37% of all smartphones and IoT devices in the world, including high-end phones from Xiaomi, Oppo, Realme, Vivo and more.
Modern MediaTek SoCs, including the latest Dimensity series, contain a special AI processing unit (APU) and audio Digital signal processor (DSP) to improve media performance and reduce CPU usage.
Both the APU and the audio DSP have custom Tensilica Xtensa microprocessor architecture. The Tensilica processor platform allows chip manufacturers to extend the base Xtensa instruction set with custom instructions to optimise algorithms and prevent them from being copied. This makes MediaTek DSP a unique and challenging target for security research.
In this study, researchers reverse-engineered the MediaTek audio DSP firmware and discovered several vulnerabilities that are accessible from the Android user space. The goal of the research was to find a way to attack the audio DSP from an Android phone.
A malformed inter-processor message could potentially be used by an attacker to execute and hide malicious code inside the DSP firmware. Since the DSP firmware has access to the audio data flow, an attack on the DSP could potentially be used to eavesdrop on the user.
By chaining with vulnerabilities in original equipment manufacturer (OEM) partner’s libraries, the MediaTek security issues researchers found it could lead to local privilege escalation from an Android application.
