Xiaomi Phones Vulnerable to Fake Transactions

Chinese phone maker Xiaomi has announced that it has found flaws in its phones that could allow a scammer to fake financial transactions without you being aware. Xiaomi is the third largest phone manufacturer after Samsung and Apple with millions of users. The flaw could potentially allow bad actors to take control of the mobile payment system within Xiaomi phones and forge their own for a variety of nefarious purposes.

The Vulnerability

The vulnerability was discovered by security outfit Check Point and was outed at DEF CON.

According to Slava Makkaveev, security researcher with Check Point:

“We discovered a set of vulnerabilities that could allow forging of payment packages or disabling the payment system directly, from an unprivileged Android application. We were able to hack into WeChat Pay and implemented a fully worked proof of concept,”

The vulnerability is tracked under CVE-2020-14125 and has a high severity.

The description reads:

“A denial of service vulnerability exists in some Xiaomi models of phones. The vulnerability is caused by out-of-bound read/write and can be exploited by attackers to make denial of service.”

The flaw is apparently within the Trusted Execution Environment (TEE) part of the phone. TEE handles all sensitive information like payment data and biometrics. The system flaw could have allowed a bad actor to access the keys required to sign digital payments.

While the main app involved was WeChat Pay, researchers said it could potentially be leveraged to set up new payment methods for other apps.

The problem is predominantly Chinese, but WeChat is being increasingly used across the world. This is by both by Chinese expats and foreign nationals.

As Xiaomi phones are so numerous, any flaw like this is a risk.

Xiaomi have since released a patch that fixes the vulnerability. If you haven’t updated your phone yet, now would be a good time to do it.