Google Publishes Patchwork For Critical MediaTek Vulnerability

CISO Mag | March 06, 2020

Google Publishes Patchwork For Critical MediaTek Vulnerability
  • The issue was first reported on the XDA forum back in April 2019.

  • The exploit was successfully tested on all MediaTek 64-bit chipsets used in several devices including Motorola and OPPO.

  • The vulnerability allowed an attacker to install a malicious application on the device and have unrestricted access to all the files including private data directories.



The MediaTek vulnerability that was reported in Androids back in April 2019 was finally taken care of by Google. The critical vulnerability affected millions of users using devices with MediaTek chips (now tracked as CVE-2020-0069). The issue was first reported on the XDA forum, one of the largest forums for Android software modifications. Overall, Google published patches for over 70 software vulnerabilities in its Android Security bulletin.


MediaTek is a large Taiwanese chip design company that provides chips for wireless communications, High-definition television, and devices like smartphones and tablets. The vulnerability is a rootkit lodged in the CPU's firmware. It allows a simple script to root Android devices that use nearly any of MediaTek's 64-bit chips, so it has compromised hundreds of budget and mid-range smartphone, tablet and set-top box models, XDA says.


MediaTek Bug


The Amazon Fire tablets are heavily guarded, and the tablet manufacturer does not provide an official method to unlock the bootloader of Fire tablets. The only way to root the Fire tablet without hardware modifications is to find a loophole in the software itself that bypasses Android’s security model. An active member of the forum did just that and hit the bull’s eye only to discover that the exploit had a greater outreach and not just limited to the Amazon Fire Tablet.


The exploit was successfully tested on all MediaTek 64-bit chipsets used in several devices including Motorola, OPPO, Sony, Alcatel, Amazon, ASUS, Blackview, Realme, Xiaomi, and more. On gaining root shell access and privileges, an attacker can install a malicious application on the device and have unrestricted access to all the files including private data directories.


MediaTek chips power hundreds of budget and mid-range smartphone models, cheap tablets, and off-brand set-top boxes, most of which are sold without the expectation of timely updates from the manufacturer. Many devices still affected by MediaTek-su are thus unlikely to get a fix for weeks or months after today’s disclosure, if they get one at all.

- XDA Developers


This was a grave concern and thus reported to MediaTek immediately. However, XDA states that although MediaTek released a security patch to fix the issue in a month’s time, it was continued to be exploited in the wild by many hacking groups until recently.


READ MORE: Iphone vs. Android: whats more secure? Experts talk about mobile security


MediaTek turned to Google for a helping hand, after failing to fix the issue and considering the high severity of it, in February 2020. Google’s engineers obliged as it also affected its flagship Android mobile device brand – Pixel. On March 3, 2020, Google released an Android Security Bulletin for March 2020 in which it announced the fixture of over 70 various issues affecting its Android devices including CVE-2020-0069.


Earlier in 2019, Google’s security researchers discovered that an iPhone could be turned into a surveillance tool exposing a victim’s sensitive information including contacts, Live Location, chat history, emails, photos, and passwords. A total of fourteen vulnerabilities spread across five exploit chains: seven for the iPhone’s web browser, five for the kernel and two separate sandbox escapes were discovered and later fixed.


Now that Google's March 2020 security patch has been released, most devices should ideally be able to update it until and unless the manufacturer releases it further.


READ MORE: Facial recognition biz clearview AI suffers data breach

Spotlight

Wie viele andere Unternehmen auch möchte Ihr Unternehmen die Investitionen in Ihr Datenprogramm bestmöglich zu nutzen. Dazu können beispielsweise die Implementierung der Datensicherheit, die Vereinheitlichung von Datensilos und das Ermöglichen von Echtzeitanalysen in Ihrer Organisation zählen. Profitieren Sie bei der Planung Ihr

Related News

DATA SECURITY

Blu Ventures Expands Cybersecurity Strategy

Blu Venture Investors | May 24, 2021

Blu Venture Investors, a primary source risk capital firm, today announced the launch of the BVI Cyber Fund, a $25M fund targeted at Series A growth companies in cybersecurity. This fund builds on the success and momentum Blu Ventures has established in supporting the cybersecurity ecosystem within the Mid-Atlantic region and beyond. "With over 800 cybersecurity firms within the Washington, D.C. region, Blu Ventures is seated at the middle of the cyber/intelligence ecosystem," said Michael Sutton, Investment member and former CSO of Zscaler. "We are excited to continue helping fast-growing cyber companies scale and tackle the foremost difficult cybersecurity challenges facing commercial and government organizations today." The timing of the BVI Cyber Fund comes at a pivotal time given the record-breaking increase in sophisticated breaches and cyberattacks and President Biden's May 12, 2021 Executive Order on Improving the Nation's Cybersecurity. Blu Ventures has and can still invest in forward-looking cybersecurity technologies within core areas that include Endpoint Detection & Response, Data Storage; Web & Cloud; Messaging; Network; Industrial & Internet of Things (IoT); Threat Intel; Mobile; Fraud Protection & Transaction; Risk, Compliance & Training; Specialized Threat Analysis & Protection and Security Ops & Incident Response. About Blu Venture Investors Founded in 2010, Blu Ventures has deployed $85MM in capital so far in early-stage cyber and enterprise software firms. Currently, the firm is invested in 35 cyber companies to incorporate ID.me, Cybrary, Huntress Labs, Ostendio and Threat Quotient. As a primary source risk capital firm, Blu's principals bring expertise across a spread of industries and an investment perspective closely aligned with entrepreneurs.

Read More

Microsoft Enhances Azure Cloud Security for Greater Visibility into Third-Party Access

Microsoft | May 25, 2020

Microsoft announced a slew of security enhancements this week, most focused on its Azure cloud services. The enhancements extend Azure Active Directory outside of the Microsoft world, demonstrating that Microsoft understands the hybrid and multi-cloud nature of most organizations today. Azure Security Center also received some updates, including Secure Score API, a new way for users of Azure cloud services to improve risk assessment and prioritize threat alerts. Microsoft announced a slew of security enhancements this week, most focused on its Azure cloud services. The enhancements extend Azure Active Directory outside of the Microsoft world, demonstrating that Microsoft understands the hybrid and multi-cloud nature of most organizations today. Azure Active Directory External Identities is an extension of Azure Active Directory to external identities. This allows Active Directory to secure and manage the identities of third parties that need access to corporate properties, including the range of Office 365 tools. This can provide greater visibility into who actually has access to an organization's applications and data. According to the company, it also will allow developers to build more user-centric experiences for external users and streamline how IT administrators manage directories and identities through Azure Active Directory. Azure Security Center also received some updates, including Secure Score API, a new way for users of Azure cloud services to improve risk assessment and prioritize threat alerts. This API allows organizations to actually get a score on the security posture of their environment. According to Microsoft, it will provide a more effective way to assess risk in the environment and prioritize actions to reduce it. This type of scoring can be very important for many reasons, said Doug Cahill, vice president and group director for cybersecurity at Enterprise Strategy Group."Because of the dynamic nature of cloud, staying on top of how your cloud services are configured is really important. You can inadvertently introduce configuration vulnerabilities. You can leave your infrastructure open to a variety of exploits if you're not regularly hardening your configuration," he said. Learn more: LEVERAGING GREATER SOCIAL ENGAGEMENT FOR IMPROVED CYBER HYGIENE "Security to date has largely been treated as an afterthought," he said. "And now that lines of business are doing their own application development, it has become increasingly important to incorporate security at development time as well as build time and runtime." ~ Microsoft Say It also helps address the confusion around who is actually responsible for configurations—the subscriber to cloud services or the cloud service provider. While Microsoft is not taking responsibility for updating configurations, this scoring capability does provide some visibility to subscribers on where they might have insecure configurations. Developers are the focus of the third announcement. Developers with a verified Microsoft Partner Network account can now mark apps "Publisher Verified." Through this capability, developers can essentially integrate a "publisher verified" stamp in the code, indicating that it is a legitimate piece of software. ” This will allow organizations to better understand whether verified or unverified apps are being used, and enable them to configure consent policies based on publisher verification, Microsoft said.” This will allow organizations to better understand whether verified or unverified apps are being used, and enable them to configure consent policies based on publisher verification, Microsoft said. Along the same lines, Microsoft has announced more granular application consent controls for IT administrators. This allows administrators to create more detailed policies that specify exactly which users can consent to specific applications. In other words, Cahill said, it gives developers a way to create a "white list" for end users based on policy.Finally, Microsoft announced that its Authentication Library now supports additional platforms, including Angular (GA) and Microsoft .Identity.Web for ASP.NET Core. This essentially provides developers with more ways of authenticating access to applications they are building, Cahill explained. Attackers can exploit misconfigurations in hybrid networks composed of Azure Active Directory and Windows Active . Directory servers to compromise synchronization servers, reveal user passwords, and create backdoors into corporate networks, security researchers from Synacktiv have revealed. The work, one of several similar research ventures conducted on Azure Active Directory security, underlines the need for security teams to learn to navigate the complexities of this fast-growing technology. Azure Active Directory (Azure AD) is Microsoft’s cloud-based identity and access management service. The technology allows an organization’s employees to sign in and access resources in services like Microsoft Office 365, the Azure portal, and SaaS applications, along with internal resources and other cloud-based apps. There is, however, some confusion between Azure AD and Windows AD, the perhaps better-known directory service for centralized domain management. Learn more: GOOGLE AND KPMG SECURITY EXPERTS SHARE THEIR INSIGHTS ON COVID-19 RELATED CYBER SCAMS .

Read More

Demystifying the Role of AI in Cybersecurity

Learing hub | May 14, 2020

There's a lot of anticipation and expectation in business around the role of artificial intelligence (AI) and the cybersecurity benefits we can expect to gain from our diversified integrations. From website chatbots providing improved customer service, to biometric identification and cutting-edge customer data analysis, AI is set to transform the world as we know it. The topic is as hotly debated as it is shrouded in mystery, as dreams of AI leading into a brave new future collide with the popular dystopian science fiction fantasies portraying human beings dominated by hyper-intelligent machines.

Read More

Spotlight

Wie viele andere Unternehmen auch möchte Ihr Unternehmen die Investitionen in Ihr Datenprogramm bestmöglich zu nutzen. Dazu können beispielsweise die Implementierung der Datensicherheit, die Vereinheitlichung von Datensilos und das Ermöglichen von Echtzeitanalysen in Ihrer Organisation zählen. Profitieren Sie bei der Planung Ihr