"Xiaomi Phone Bug Allowed Payment Forgery"

Xiaomi, the world's third-largest phone manufacturer after Apple and Samsung, announced the patching of a high-severity flaw in its "trusted environment" used to store payment data, which exposed some of its handsets to attacks. Check Point Research revealed in a DefCon report that the Xiaomi smartphone flaw could have allowed hackers to hijack the mobile payment system and disable it, as well as create and sign their own forged transactions. According to Canalys Q2/22 data, Xiaomi manufactures one in every seven smartphones in the world, creating a massive potential pool of victims. It remains unclear how long the vulnerability existed or whether attackers used it in the wild. Xiaomi patched the bug in June, and it has a CVSS severity rating of high. Some Xiaomi phone models have the Denial-of-Service (DoS) vulnerability. According to the National Institute of Standards and Technology's (NIST) CVE description of the bug, the vulnerability is caused by out-of-bound read/write and can be exploited by attackers to cause DoS. While details of the bug's impact were limited when Xiaomi disclosed the vulnerability in June, Check Point researchers detailed the patched bug and the full potential impact of the flaw in their postmortem. The main problem with the Xiaomi phone was the payment method and the phone's Trusted Execution Environment (TEE), which is the phone's virtual enclave that processes and stores ultra-sensitive security information such as fingerprints and cryptographic keys used in transaction signing. This article continues to discuss findings surrounding the Xiaomi phone bug.

Threatpost reports "Xiaomi Phone Bug Allowed Payment Forgery"