Most smartphone makers have several debug tools enabled while manufacturing a smartphone for testing and quality control purpose. However, it seems that MediaTek forgot to close a debug tool in this particular case, before shipping, leaving the ‘backdoor’ open to hackers. The flaw which resides in many of MediaTek powered smartphones can be exploited by a potential hacker to steal private data including photos, contacts, and even remotely monitor all traffic. Case reported the vulnerability on Twitter earlier this month.
— Jon Sawyer (@jcase) January 14, 2016 Explaining the bug, Case told Gadgets360 that MediaTek software has a “backdoor” that allows a potential hacker or a malicious App to enable root access. The problem, as Case explained, is a user or a malicious app can change the usually restricted and read only properties on the device, which “can trivially lead to privilege escalation to the root user.” “Root user could do many things, such as access data normally protected from the user/ other apps, or brick the phone, or spy on the user, monitor communications etc,” Case stated. MediaTek is a Taiwan based company and its chips are used in most budget range smartphones. MediaTek confirmed the vulnerability and stated that as of now it exists on devices running Android 4.4 KitKat. Explaining how the vulnerability got there in the first place, MediaTek said that a debug feature was created for telecommunication inter-operability testing mainly in China. The smartphone manufacturers, however, didn’t disable the debug feature before shipping the smartphones, the company added. MediaTek didn’t disclose the names of the manufacturers. “We are aware of this issue and it has been reviewed by MediaTek’s security team. It was mainly found in devices running Android 4.4 KitKat, due to a de-bug feature created for telecommunication inter-operability testing in China,” a MediaTek said in an emailed statement to Gadgets360. “After testing, phone manufacturers should disable the de-bug feature before shipping smartphones. However, after investigation, we found that a few phone manufacturers didn’t disable the feature, resulting in this potential security issue.” Normally, the read only properties of an App do not change on a reboot however due to the debug backdoor left open by MediaTek, this property was left open and anybody could change it. For example a malicious app could set the ‘ro.secure’ property to 0, ro.debuggable one to 1, ro.adb.secure prop to 0 (this would mean ADB didn’t need authentication) and then enable the ADB over Wi-Fi property, and get a local root shell.” The bug is noted to reside in many MediaTek powered Android smartphone but MediaTek declined to specify the smartphone models and the number of handsets that are impacted. The company insists that the issue only affects certain manufacturers and it has begun to alert them. “While this issue affected certain manufacturers, it also only affected a portion of devices for those manufacturers. We have taken steps to alert all manufacturers and remind them of this important feature.” MediaTek says that the patch is on the way, so if you own a Android smartphone powered by a MediaTek chip, it would be prudent for you to keep a watch on strange behaviour in your smartphone.