MediaTek's Security Nightmare: How a Nothing Phone Was Hacked in 45 Seconds (Except It Wasn't)

MediaTek's Security Nightmare: How a Nothing Phone Was Hacked in 45 Seconds (Except It Wasn't)

Sometime in late 2021, a story started bouncing around tech forums: a Nothing Phone was hacked in 45 seconds. Eavesdropping vulnerability. Terrifying chipset flaw. It had all the ingredients for virality — a trendy phone brand, a dramatic timeline, a threat that feels personal. One problem. It's wrong.

The real story is actually scarier than the myth. Four vulnerabilities in MediaTek's Dimensity chipsets, discovered by Check Point Research, could have allowed any unprivileged Android app to silently listen to your conversations. The Nothing Phone was never part of it. But the hundreds of millions of devices that were affected? That's what people should have been paying attention to.

What Check Point Actually Found

In 2021, Check Point Research identified four vulnerabilities in MediaTek's Dimensity system-on-chips. Three were assigned CVEs related to the audio Digital Signal Processor: CVE-2021-0661, CVE-2021-0662, and CVE-2021-0663. A fourth, CVE-2021-0673, was found in the AI Processing Unit (APU). Chain them together and you've got an attack surface that should make anyone running a Dimensity chip uncomfortable.

The Check Point team reverse-engineered the MediaTek audio DSP firmware to get there. That's not a weekend project. It required deep understanding of how these specialized processors communicate with Android's application layer. What they found: a specially crafted app could send messages to the audio processor, execute code in the firmware, and intercept the audio stream.

Here's what that means in practice: a malicious app with zero special permissions could escalate privileges from the application layer to the system level, then hijack audio data flowing through the DSP. No microphone permission needed. No user interaction. Just a seemingly harmless app running in the background, capturing everything your phone's mic picks up.

BleepingComputer's Sergiu Gatlan covered the privilege escalation angle well. XDA's Adam Conway highlighted how deeply buried the vulnerability was — the fact that it took reverse-engineering DSP firmware to find it tells you something about what else might be lurking in there.

Having spent years working with systems where security boundaries between components are critical, I can tell you: the scariest vulnerabilities aren't the ones that need elaborate exploits. They're the ones where the attacker needs almost nothing to get started. An unprivileged app is the lowest bar imaginable.

The DSP Is the Real Attack Surface (and Nobody's Looking at It)

Most people think about phone security in terms of the main CPU and Android. Fair enough. But modern SoCs like MediaTek's Dimensity line contain multiple specialized processors, each running their own firmware. The audio DSP handles sound processing independently. The APU handles AI workloads. These aren't just co-processors. They're effectively separate computers with their own real-time operating systems, sharing memory and communication buses with the main system.

This is what made Check Point's findings so significant. The vulnerabilities weren't in Android. They weren't in an app. They were in firmware running on a separate processor that sits below the operating system. Most security tools don't even scan that layer.

If you've followed how prompt injection remains the top LLM vulnerability, you'll recognize the pattern: the most dangerous attack surfaces sit at trust boundaries between systems. Here, the trust boundary between Android's application framework and the audio DSP firmware was the gap.

And it goes beyond eavesdropping. Infosecurity Magazine's Kevin Poireault reported that the four vulnerabilities could be chained for both eavesdropping and arbitrary code execution. An attacker could use the audio DSP as a foothold to compromise other parts of the system. That's the nightmare scenario for any chip designer.

I've seen similar trust boundary issues in cloud architectures where separate services share infrastructure but don't properly validate cross-boundary communication. Same principle applies whether you're looking at an AWS outage caused by automation crossing blast radius boundaries or a phone chipset where the app layer can talk directly to DSP firmware. Implicit trust between components is a ticking time bomb.

The Nothing Phone Myth

So where did the Nothing Phone narrative come from? The Nothing Phone (1), released in 2022, uses a Qualcomm Snapdragon 778G+. Not a MediaTek Dimensity chip. It was never affected by these vulnerabilities. It couldn't have been — entirely different silicon.

My best guess: Nothing was a hot brand, MediaTek vulnerabilities were making headlines, someone connected dots that didn't exist, and the internet did what it does. Compelling but inaccurate story, amplified endlessly.

This kind of misattribution actually causes harm. Nothing Phone owners panicked while actual Dimensity device owners — the people who genuinely needed to update their devices — might have shrugged it off because they weren't hearing their brand mentioned.

The devices actually at risk were phones from Xiaomi, Oppo, Realme, Vivo, and dozens of other manufacturers shipping MediaTek silicon across hundreds of millions of handsets. According to Counterpoint Research, MediaTek was the largest smartphone chipset vendor in 2021, commanding over 40% of the global market. This isn't a niche problem. This is nearly half the Android ecosystem.

That's the real story. Not a trendy phone brand getting popped in 45 seconds. A chipmaker whose silicon powers close to half the world's smartphones shipping firmware with exploitable flaws in its audio processing pipeline.

The Patch Gap Problem

MediaTek handled the disclosure reasonably. Check Point informed them in stages — May, June, and July of 2021 — and MediaTek released patches in their October 2021 security bulletin. Three-to-five months from disclosure to patch. For hardware-level vulnerabilities, that's within industry norms. I've seen far worse.

But the patch reaching MediaTek is step one of a much longer journey. From there it flows to device manufacturers, who integrate it into their firmware builds, test it, and push it to devices. For flagships, that might happen within a few months. For mid-range and budget devices — which is exactly where Dimensity chips are most prevalent — updates can take six months to a year. If they arrive at all.

I've shipped enough software to know that the gap between "patch available" and "patch deployed" is where real-world risk lives. A vulnerability isn't fixed until the update is on the device. In the fragmented Android ecosystem, that's a much harder problem than any CVE.

Same dynamic I've written about with security issues in vibe-coded applications. The vulnerability itself is only part of the story. The real risk lives in the deployment pipeline, the update cadence, whether the fix actually reaches the systems that need it.

What Comes Next

MediaTek's DSP vulnerabilities exposed a structural problem in mobile security that nobody has solved. We've gotten okay at securing the application layer. Android's permission model, Play Protect, monthly security patches — they address threats in the OS and app ecosystem. But firmware running on specialized processors inside the SoC? Still largely a black box.

Check Point had to reverse-engineer the DSP firmware to find these flaws. That means most security researchers, and virtually all security tools, aren't looking at this layer. Security through obscurity. Which is no security at all.

The most dangerous vulnerabilities aren't the ones everyone's scanning for. They're the ones hiding in the components nobody thinks to examine.

Google has been pushing harder on firmware security requirements through the Android Compatibility Definition. Qualcomm, MediaTek, and Samsung LSI are all investing more in secure boot chains and firmware integrity checks. But we're nowhere close to treating SoC firmware as a first-class security surface.

Here's my prediction: within the next two years, we'll see a major, actively exploited vulnerability in a mobile DSP or NPU that makes this MediaTek disclosure look tame. The attack surface is expanding fast. Every chip now has an AI accelerator, an image signal processor, a modem with its own firmware. Each one is a potential entry point sitting below the OS security model.

If you're building Android apps, audit your assumptions about what the OS actually protects you from. If you're in device manufacturing, push your silicon vendors hard on firmware security audits. And if you're sharing security news online, check which chipset is actually affected before you hit post. The Nothing Phone owners will thank you.

Photo by Call Me Fred on Unsplash.