How Hackers Can Hijack Your Device Without You Knowing – MediaTek’s RCE Flaw Explained

MediaTek’s January 2025 Product Security Bulletin has highlighted a critical Remote Code Execution (RCE) vulnerability, identified as CVE-2024-20154, which affects millions of devices using MediaTek chipsets. This vulnerability is present in the modem firmware and can be exploited without requiring user interaction or elevated privileges.

How CVE-2024-20154 Can Be Exploited

CVE-2024-20154 is a Critical Remote Code Execution (RCE) vulnerability that enables attackers to exploit devices in the following manner:

1. Exploitation Method:

  • Rogue Base Station Attack:
    • The flaw can be exploited by an attacker setting up a rogue base station, which masquerades as a legitimate cellular network.
    • A victim’s device (referred to as User Equipment or UE) unknowingly connects to this rogue base station.
    • Once the connection is established, the rogue station exploits the stack overflow vulnerability in the device’s modem firmware.
  • No User Interaction Needed:
    • This exploit does not require any action by the user, such as clicking a link or installing an application. The victim only needs to be within range of the rogue base station.
  • No Elevated Privileges Needed:
    • The attacker does not need elevated privileges to exploit the flaw. The vulnerability exists at the firmware level, giving attackers the ability to bypass security protections in higher layers of the system.

2. Steps an Attacker Might Use:

  1. Set Up Rogue Base Station:
    • Attackers configure a fake cellular tower using specialized software and hardware, which can be set up with easily accessible tools.
    • The rogue base station advertises itself as a legitimate cellular provider, tricking nearby devices into connecting to it.
  2. Trigger Stack Overflow:
    • Once the device connects, the rogue base station sends malformed network packets designed to exploit the stack overflow vulnerability in the modem firmware.
  3. Inject Malicious Code:
    • The attacker injects arbitrary code into the device’s modem, gaining full control over the modem’s functionalities.
    • This can include modifying device communication, eavesdropping on calls and messages, or disabling network access.
  4. Take Control:
    • Once control over the modem firmware is achieved, attackers can execute commands, exfiltrate data, or even propagate malware to other devices connected to the same network.

3. Potential Exploitation Scenarios:

  • Eavesdropping:
    • Attackers could intercept and listen to calls, read text messages, and monitor internet traffic.
  • Data Exfiltration:
    • Sensitive data such as credentials, personal information, or financial data could be stolen without the user’s knowledge.
  • Device Hijacking:
    • Attackers may fully take control of the device’s modem to disrupt communication or use the device as part of a botnet.
  • Propagation of Malware:
    • Compromised devices could be used to distribute malware to other devices connected to the same rogue base station or network.

Why This Exploit is Dangerous:

  • Broad Attack Surface:
    • The vulnerability affects over 40 MediaTek chipset models, impacting millions of devices across smartphones, IoT devices, tablets, and even smart TVs.
  • No Interaction Needed:
    • Exploits that require no user interaction are harder to detect and mitigate in real-time.
  • Wide Attack Range:
    • The exploit only requires physical proximity to the victim, making it feasible for attackers to target devices in crowded areas like airports, malls, or stadiums.

Additional Vulnerabilities Addressed

MediaTek’s bulletin also addressed other vulnerabilities, categorized as high severity:

  • Power Management:
    • CVE-2024-20140: An out-of-bounds write issue that could lead to local privilege escalation.
  • Digital Audio Subsystem:
    • CVE-2024-20143, CVE-2024-20144, CVE-2024-20145: These flaws may allow unauthorized access to sensitive data or system functions.
  • WLAN Driver:
    • CVE-2024-20146, CVE-2024-20148: Vulnerabilities leading to remote code execution.
  • M4U Subsystem:
    • CVE-2024-20105: An out-of-bounds write issue enabling local privilege escalation.

Mitigation

MediaTek has:

  • Notified OEMs: Device manufacturers have been informed of these vulnerabilities.
  • Released Security Patches: Updates have been provided to address these flaws.

Recommendations for Users

  1. Check for Updates:
    • Ensure that your device’s firmware and software are updated to the latest version.
  2. Patch Immediately:
    • Apply security patches released by the manufacturer to mitigate these risks.
  3. Avoid Untrusted Networks:
    • Be cautious about connecting to unknown or suspicious cellular networks.
  4. Security Monitoring:
    • Use network monitoring tools or mobile device management solutions to detect abnormal device behavior.

CVE-2024-20154 highlights the importance of securing chipset firmware and deploying timely patches. The broad attack surface, combined with the ease of exploitation, makes this vulnerability especially dangerous. Users and manufacturers must act swiftly to secure devices and prevent potential exploitation.