Unfixable Chip Flaw Exposes Crypto Wallets on Smartphones to Theft

Critical Chip Vulnerability Threatens Crypto Wallets on Smartphones

Ledger, a prominent provider of crypto security solutions, has issued a warning regarding a severe, unfixable vulnerability discovered in the MediaTek Dimensity 7300 (MT6878) system-on-chip (SoC). This chip is widely integrated into smartphones, including the Solana Seeker, a device specifically marketed towards cryptocurrency users. The vulnerability could potentially allow malicious actors to gain complete control over the compromised device and, crucially, steal the private keys used to access cryptocurrency wallets.

Security engineers at Ledger, Charles Christen and Léo Benito, successfully executed an attack on the MediaTek Dimensity 7300, effectively bypassing all security measures. The result was, in their words, achieving "full and absolute control over the smartphone, with no security barrier left standing."

Exploiting the Vulnerability: A Technical Overview

Christen and Benito explained that they were able to commandeer the chip’s functionality through the use of electromagnetic fault injection (EMFI) during the chip's initial boot sequence. Given that cryptocurrency wallets often rely on private keys – some of which are stored directly on smartphones for ease of access – a successful attack of this nature allows malicious actors to extract these keys and subsequently steal the associated cryptocurrency.

“There is simply no way to safely store and use one’s private keys on those devices,” Christen and Benito stated, highlighting the gravity of the situation.

A Permanent Problem: The Inability to Patch

Compounding the severity of the issue is the fact that this particular fault injection vulnerability cannot be addressed via a standard software update or patch. The flaw is embedded directly within the silicon of the smartphone's SoC, making it fundamentally unfixable. "Users stay vulnerable even if the vulnerability is disclosed,” according to Christen and Benito.

While the initial attack success rate is relatively low, estimated between 0.1% and 1%, the engineers emphasized that the speed at which the attack can be repeatedly initiated means that an attacker will eventually gain access in "only a matter of a few minutes.”

Their methodology involves repeatedly booting the device, attempting to inject the fault each time. "Given that we can try to inject a fault every 1 second or so, we repeatedly boot up the device, try to inject the fault, and if the fault does not succeed, we simply power up the SoC and repeat the process."

MediaTek's Response: Consumer Use Case

In response to Ledger's findings, MediaTek stated that electromagnetic fault injection attacks were considered "out of scope" for the MT6878 chip.

MediaTek further clarified that the chip "is designed for use in consumer products, not for applications such as finance or HSMs (Hardware Security Modules). It is not specifically hardened against EMFI hardware physical attacks. For products with higher hardware security requirements, such as hardware crypto wallets, we believe that they should be designed with appropriate countermeasures against EMFI attacks.”

Christen and Benito detailed their research timeline, noting they began working on the experiment in February and successfully exploited the chip's vulnerability in early May. They promptly disclosed their findings to MediaTek's security team, who, in turn, notified all affected vendors.