A chip widely used in smartphones, including the crypto-focused Solana Seeker, has an unfixable vulnerability that could allow attackers to gain complete control and steal private keys stored on the device, according to crypto wallet maker Ledger.
Ledger stated in a report on Wednesday that it tested an attack on the MediaTek Dimensity 7300 (MT6878), and successfully bypassed its security measures to achieve "full and absolute control over the smartphone, with no security barrier left standing."
Ledger security engineers Charles Christen and Léo Benito explained that they gained control of the chip by employing electromagnetic pulses during the chip’s initial boot process.
Crypto wallets frequently rely on private keys, which some users store on their phones. This vulnerability means that malicious actors could extract these private keys from a device to steal funds from a crypto wallet.
"There is simply no way to safely store and use one’s private keys on those devices," Christen and Benito stated.
Smartphone Chip Vulnerability Remains Unfixable
The fault injection vulnerability cannot be rectified through a software update or patch. This is because the issue is embedded within the silicon of the smartphone’s system on chip (SOC). Consequently, "users stay vulnerable even if the vulnerability is disclosed," according to Christen and Benito.
While the attack success rate is generally low, estimated between 0.1% to 1%, the engineers noted that the speed at which the attack can be repeatedly initiated means that an attacker will eventually gain access in "only a matter of a few minutes."
"Given that we can try to inject a fault every 1 second or so, we repeatedly boot up the device, try to inject the fault, and if the fault does not succeed, we simply power up the SoC and repeat the process."
Chip Maker Clarifies Product Scope
MediaTek informed Ledger that electromagnetic fault injection attacks are considered "out of scope" for the MT6878 chip.
The company explained, "Like many standard microcontroller circuits, the MT6878 chipset is designed for use in consumer products, not for applications such as finance or HSMs (Hardware Security Modules)."
"It is not specifically hardened against EMFI hardware physical attacks. For products with higher hardware security requirements, such as hardware crypto wallets, we believe that they should be designed with appropriate countermeasures against EMFI attacks."
Christen and Benito began their experiment in February and successfully exploited the chip’s vulnerability in early May. Following this, they disclosed the issue to MediaTek’s security team, who subsequently informed all affected vendors.