Xiaomi, discovery flaw in the payment system via smartphone

An analysis by Check Point Software has highlighted a number of vulnerabilities within the Trusted Execution Environment that could have put more than 1 billion devices at risk. "We managed to penetrate WeChat Pay", but the Chinese brand has already run for cover

16 Aug 2022

Domenico Aliperto

Spotlight on Xiaomi's Trusted Execution Environment (Tee), the environment responsible for storing and managing sensitive information such as keys and passwords, where vulnerabilities have been found. To raise the alarm is an analysis by Check Point Research (CPR), the Threat Intelligence division of Check Point Software Technology, which has detected flaws in the mobile payment system of the Chinese brand, in particular on devices equipped with MediaTek chips. Xiaomi is aware of the problem and has already corrected the security flaws that could have allowed the compromise of the devices of more than a billion users.

Index of topics

•             The environment in which the vulnerability was found

•             How attackers could exploit the flaw

The environment in which the vulnerability was found

Xiaomi devices have a built-in mobile payment framework called Tencent Soter that provides an API for third-party Android applications to integrate payment features. Its main function is to provide the ability to verify the payment packages transferred between a mobile application and a remote back-end server, which are essentially the security we all rely on when making mobile payments.

17 November, Milan

Open the door to digital innovation! Take part in MADE IN DIGItaly

Join the transformation

Book your place!

WeChat Pay and Alipay are the two biggest players in China's digital payments industry. Together, they account for about 95% of China's mobile payments market. Each of these platforms has over a billion users. WeChat Pay is based on the  Tencent soter. If an app provider wants to implement their own payment system, including the backend that stores users' credit cards, bank accounts, and other accounts, without being tied to the WeChat app, they can directly use the  Tencent soter to verify the authenticity of transactions on its backend server.  or, in other words, specifically, make sure that a payment package has been sent from its app installed on a specific device and approved by the user. The vulnerability found by CPR completely compromises the Tencent soter platform, allowing an unauthorized user to sign fake payment packages.

How attackers could exploit the flaw

"We discovered a number of vulnerabilities that could allow payment packages to be falsified or the payment system disabled directly from an unprivileged Android application," explains Slava Makkaveev, Security Researcher at Check Point Software. "We were able to break into WeChat Pay and do a fully functional test. We immediately communicated our findings to Xiaomi, which worked quickly to correct the flaws. We recommend everyone to constantly keep your phones updated to the latest version provided by the manufacturer."

CPR also found that an attacker can transfer an old version of a trusted app to the device and use it to overwrite the new app file. Thus, an attacker can bypass the security fixes made by Xiaomi or MediaTek in trusted apps by downgrading to unpatched versions.

During the research CPR observed several ways to attack the platform integrated into Xiaomi smartphones and used by millions of users in China for mobile payments. For example, a non-privileged Android application could exploit the vulnerability to run code in the trusted Wechat app  and spoof payment packages. After the threat was disclosed, the vulnerability was fixed by Xiaomi in June 2022.

Finally, it was shown how the downgrade vulnerability in Xiaomi's Tee can allow the old version of the WeChat app to steal private keys. This presented read vulnerability has also been corrected and corrected by Xiaomi. The downgrade issue, which has been confirmed by Xiaomi as belonging to a third-party provider, will be fixed shortly.