Ledger Finds Chip Flaw Allowing Complete Phone Takeover

A chip widely used in smartphones, including the crypto-focused Solana Seeker, has an unfixable vulnerability that could allow attackers to gain complete control and steal private keys stored on the device, according to crypto wallet maker Ledger.

Ledger said in a report on Wednesday that it tested an attack on the MediaTek Dimensity 7300 (MT6878), and bypassed its security measures to gain “full and absolute control over the smartphone, with no security barrier left standing.”

Ledger security engineers Charles Christen and Léo Benito explained that they took control of the chip using electromagnetic pulses during the chip’s initial boot process.

Crypto wallets often rely on private keys, which some users store on their phones, meaning bad actors can extract private keys from a device to steal from a crypto wallet.

“There is simply no way to safely store and use one’s private keys on those devices,” Christen and Benito said.

Smartphone chip vulnerability can’t be fixed 

The fault injection vulnerability can’t be fixed through a software update or patch, because the issue is coded into the silicon of the smartphone’s system on chip (SOC), meaning “users stay vulnerable even if the vulnerability is disclosed,” according to Christen and Benito.

Ultimately, the attack success rate is low, between 0.1% to 1%, but the duo said the speed at which it can be repeatedly initiated means that eventually an attacker will gain access in “only a matter of a few minutes.” 

“Given that we can try to inject a fault every 1 second or so, we repeatedly boot up the device, try to inject the fault, and if the fault does not succeed, we simply power up the SoC and repeat the process.”

Chipmaker says product isn’t meant for finance 

MediaTek told Ledger that electromagnetic fault injection attacks are “out of scope” for the MT6878 chip.

Related: Cloudflare blames database error for outage that took down 20% of the internet

“Like many standard microcontroller circuits, the MT6878 chipset is designed for use in consumer products, not for applications such as finance or HSMs (Hardware Security Modules),” it said. 

“It is not specifically hardened against EMFI hardware physical attacks. For products with higher hardware security requirements, such as hardware crypto wallets, we believe that they should be designed with appropriate countermeasures against EMFI attacks.”

Christen and Benito stated that they began working on the experiment in February and successfully exploited the chip’s vulnerability in the first days of May, at which point they disclosed the issue to MediaTek’s security team, who informed all the affected vendors.

Cointelegraph has reached out to MediaTek for further comment.

Magazine: Ethereum’s Fusaka fork explained for dummies: What the hell is PeerDAS?