eCommerceNews Asia - Technology news for digital commerce decision-makers
Asia
Guides
#
business intelligence
#
commerce systems
#
customer data platforms
#
marketing technologies
#
payment gateways
Search
Story image
#
Commerce Systems
#
MarTech
#
Payment Gateways
Check Point Research finds vulnerabilities in Xiaomi's mobile payment mechanism
Thu, 18th Aug 2022
FYI, this story is more than a year old
Author image
By Mitchell Hageman, Managing Editor
Follow us

Check Point Software's research teams have uncovered vulnerabilities in Xiaomi's mobile payment mechanism.

The team says that the vulnerabilities could allow forging of payment packages or disabling of the payment system directly from an unprivileged Android application.

Affecting the WeChat TrustZone on Xiaomi's phones mobile payment mechanism, the team says the vulnerabilities could possibly affect up to 1 billion users.

Check Point Research (CPR) collaborated with Xiaomi on the issue, and they acknowledged the vulnerabilities and provided fixes for them as a result.

When discovering the vulnerabilities, the team analysed the payment system built into Xiaomi smartphones powered by MediaTek chips, which are very popular in China.

During these reviews, they discovered vulnerabilities that could allow forging of payment packages or disabling the payment system from an unprivileged Android application, causing a significant security and data breach.

The research goes on to say that while Trusted Execution Environment (TEE) has been an integral part of mobile devices for many years, there are still inherent risks that have not been explored.

CPR showed how the downgrade vulnerability in Xiaomi's TEE could enable the old version of the WeChat app to steal private keys. This presented a read vulnerability which has also been patched and fixed by Xiaomi after disclosure and collaboration.

Another discovery found was that Xiaomi can embed and sign its own trusted applications. Research teams found that attackers can transfer an old version of a trusted app to the device and use it to overwrite the new app file. Because of this, an attacker can bypass security fixes made by Xiaomi or MediaTek in trusted apps by downgrading them to unpatched versions.

Xiaomi devices also have an embedded mobile payment framework named Tencent Soter that provides an API for third-party Android applications to integrate the payment capabilities.

The primary function of Tencent is to provide the ability to verify payment packages transferred between a mobile application and a remote backend server, which are essentially the security and safety used in mobile payments.

The vulnerability found by research teams labelled by Xiaomi as CVE-2020-14125 completely compromises the Tencent soter platform, allowing unauthorised users to sign fake payment packages.

After CPR disclosed and collaborated on the issue with Xiaomi, the vulnerability has been patched as of June 2022.

The downgrade issue, which has been confirmed by Xiaomi to belong to a third-party vendor, is being fixed shortly.

CPR also recommends that all mobile users update their phone's OS to the latest version to prevent any further issues or problems with outdated payment software.

Related stories
Celigo teams up with TikTok Shop to boost ecommerce efficiency
Pattern launches revolutionary supply chain tech 'Shelf' in Australia
Exclusive: How Fluent Commerce is shaking up the OMS industry
Wolt expands tailored ad service to aid partner growth
Australia sees 45% gap in perceived customer engagement
Top stories
Artificial Intelligence and the Retail Personalisation Revolution
Adobe reveals new AI-powered mobile app, Adobe Express
GitLab unveils Duo Chat for simplified AI-powered DevSecOps workflows
Cegid boosts Middle East presence with new Dubai Point of Delivery
Half of online traffic in 2024 generated by bots, report finds