Vulnerabilities in Xiaomi’s mobile payment could lead to an attacker stealing private keys used to sign Wechat Pay control and payment packages.
The flaws were found by Check Point Research (CPR) in Xiaomi’s trusted execution environment (TEE), the system element responsible for storing and managing sensitive information such as keys and passwords.
“We discovered a set of vulnerabilities that could allow forging of payment packages or disabling the payment system directly, from an unprivileged Android application,” explained Slava Makkaveev, security researcher at Check Point.
The devices studied by CPR were powered by MediaTek chips and were found to be susceptible to two different kinds of attacks targeting the aforementioned vulnerability.
The first one was from an unprivileged malicious Android app, installed and launched by a user. In this case, the app would be able to extract the keys and send a fake payment packet to steal the money.
The second attack method involved the physical possession of the device by the attacker. In this case, they could root the device, downgrade the trust environment, and then run the code to create a fake payment package without an application.
“We were able to hack into WeChat Pay and implemented a fully worked proof of concept. Our study marks the first time Xiaomi’s trusted applications are being reviewed for security issues,” Makkaveev said.
CPR said after it disclosed the vulnerabilities to Xiaomi, the phone manufacturer acknowledged and promptly patched them.
“We immediately disclosed our findings to Xiaomi, who worked swiftly to issue a fix,” Makkaveev added.
“Our message to the public is to constantly make sure your phones are updated to the latest version provided by the manufacturer. If even mobile payments are not secure, then what is?”
The findings in CPR’s latest advisory come months after a Juniper Research study suggested the value of biometrically authenticated remote mobile payments will reach an estimated $1.2tn globally by 2027.