Taiwan’s MediaTek has been the global smartphone chip leader since Q3 2020. MediaTek Systems on a chip (SoCs) are embedded in approximately 37% of all smartphones and IoT devices in the world, including high-end phones from Xiaomi, Oppo, Realme, Vivo and more.

Modern MediaTek SoCs, including the latest Dimensity series, contain a special AI processing unit (APU) and audio digital signal processor (DSP) to improve media performance and reduce CPU usage. Both the APU and the audio DSP have custom Tensilica Xtensa microprocessor architecture. The Tensilica processor platform allows chip manufacturers to extend the base Xtensa instruction set with custom instructions  to optimise particular algorithms and prevent them from being copied. This fact makes MediaTek DSP a unique and challenging target for security research.

In this study, we reverse-engineered the MediaTek audio DSP firmware and discovered several vulnerabilities that are accessible from the Android user space. The goal of our research was to find a way to attack the audio DSP from an Android phone.

A malformed inter-processor message could potentially be used by an attacker to execute and hide malicious code inside the DSP firmware. Since the DSP firmware has access to the audio data flow, an attack on the DSP could potentially be used to eavesdrop on the user. By chaining with vulnerabilities in original equipment manufacturer (OEM) partner’s libraries, the MediaTek security issues we found could lead to local privilege escalation from an Android application.

The discovered vulnerabilities in the DSP firmware (CVE-2021-0661, CVE-2021-0662, CVE-2021-0663) have already been fixed and published in the October 2021 MediaTek security bulletin. The security issue in the MediaTek audio HAL (CVE-2021-0673) was fixed  in October and will be published in the December 2021 MediaTek security bulletin.

Taiwan's Mediatek should be complimented for their fast response. (Ed)