There may be more serious vulnerabilities in MediaTek processors than previously thought

Trustonic rejects claims of creating a vulnerability on MediaTek processors

Cybersecurity specialists at Trustonic stated that their software is not the source of the flaws found in devices with MediaTek chips. This could mean that a wider range of gadgets were affected by the issue than previously thought.

How the vulnerability was discovered
- The Donjon team (French company Ledger) identified the exploit.
- The exploit was demonstrated on the *Nothing CMF Phone 1* smartphone – the hack completed in 45 seconds without booting Android, simply by connecting the phone to a PC.
- After the attack engineers gained access to confidential data: the unlock PIN code and the wallet recovery phrase.

Why Trustonic claims innocence
1. Key component – Kinibi
- This is protected software from Trustonic that runs inside the smartphone’s TEE (Trusted Execution Environment).
- It protects PIN codes, encryption keys, and biometric information.
2. Testing on other chips
- Trustonic notes that Kinibi operates without issues on products from other SoC manufacturers using the same software version.
- Therefore, the vulnerability is tied exclusively to the MediaTek platform, not to Trustonic itself.
3. Update from MediaTek
- The company considers the Kinibi update unnecessary because fixes from MediaTek already address the problem.

What this means for the Android market
- The vulnerability could affect more devices than initially thought, as many smartphones use MediaTek chips and various TEE implementations.
- Trustonic emphasizes that their software is not used in all MediaTek device models, so accusations of a direct link to their product are unfounded.

Current positions of the parties
- Trustonic: denial of liability and acknowledgment that the issue is localized to the MediaTek platform.
- Ledger Donjon: has not yet provided additional comments on the use of Trustonic in the Nothing CMF Phone 1.