MediaTek-related bug leaves KitKat devices vulnerable

by: John DyeJanuary 29, 2016
802

MediaTek USB dongle

Although MediaTek is downplaying the effects, it seems a software bug has created a vulnerability on Android devices running Android 4.4 KitKat. Exploits taking advantage of the vulnerability could gain root access to the device, brick the phone, or spy on communications. MediaTek has confirmed that the bug exists and they say their security team is working to come up with solutions.

The bug was pointed out by security researcher Justin Case, who tweeted about the vulnerability’s existence earlier this month. Today MediaTek acknowledged that the potential for malicious exploits was real. The Taiwan-based chipmaker says that the vulnerability is the result of smartphone manufacturers failing to follow their instruction to disable the debug feature before shipping the smartphones. The company did not release the names of the manufacturers responsible, and as a result, we don’t know for sure which device models this bug affects.

Google LogoSee also: Google’s Vulnerability Reward Program paid Android researchers over $200,000 last year

Case summed up the bug and the way it could be exploited by saying, “[MediaTek has] ‘nerved’ the property space, they made it so these properties can be changed, and changed by anyone/app. A malicious app could set the ‘ro.secure’ property to 0, ro.debuggable one to 1, ro.adb.secure prop to 0 (this would mean ADB didn’t need authentication) and then enable the ADB over Wi-Fi property, and get a local root shell.”

Although a large number of devices currently on the market run Android 4.4 using these chips, the chipmaker is downplaying the impact. They have declined to estimate how many devices are affected, but they’ve said that they are taking steps to make sure all manufacturers are aware of this issue.

What does this mean for you? Are any of your devices potentially affected by this security vulnerability? What do you think of how MediaTek is handling the issue? Let us know your thoughts in the comments below!

Next: 15 best antivirus Android apps and anti-malware Android apps

  • nikolas ostropolskiy

    What?! Mediatek processors vulnerable? No way!

  • John

    In theory android one devices are excluded if it’s updated to 6.0.x but if left on 4.4.x kitkat big problems. That’s why it’s important to update your phone even if the new update have/has bugs, it’s inevitable.

    • SuperFist

      I’ve been rooting since I joined Android in 2012 and never had to worry about “exploits” and “bugs” in the system because I rarely update after rooting. Many updates break functionality and cause more issues so it’s best to be wary about these so called “security fixes” which sometimes incapacitate your smartphone experience by draining the battery faster, causing glitches that weren’t present before and other unforeseen anomalies. My policy of rarely updating has therefore served me well as I have avoided most of these pitfalls by doing so, enjoying a fairly flawless user experience on my phones for the duration I’ve owned them.

      • SnakeSplitskin

        But if you root your phone and use roms by XDA or others, don’t you run the risk of opening even more exploits while enjoying your flawless experience?

        • SuperFist

          Yes, you do; and I would be lying to you if I said this wasn’t the case. However, the chances are very slim if you know what you’re doing and are careful about where you receive your files and apks from. Similarly, is there a chance those planes overhead can fall out of the sky on you? Sure. But the likelihood of that happening is very, very slim so why be fearful about it? I believe this country encourages and advocates fear more than any other, convincing you of the things you “need” to prevent or reduce the chances of that fear becoming a reality to the point where it is a part of our culture.

  • Adithya Raman

    A large number of budget phones run on MediaTek. Even if they come up with an update, I doubt if most will get it on their phone.

  • dannyR

    Have you ever noticed that vulnerabilities are never discovered by research specialists in… China?