Cell phone chipmaker MediaTek patched a vulnerability affecting its chipsets in January that might have allowed an attacker to steal crypto seed phrases on affected gadgets utilizing only a USB cable and the best software program.
The flaw was found by Ledger’s white-hat safety staff, Donjon, who had shared the vulnerability with MediaTek earlier than a patch was rolled out on Jan. 5, though customers who haven’t put in the newest safety patches are suggested to take action, stated Ledger.
Take a look at system compromised in 45 seconds
In response to Ledger, the flaw got here from MediaTek’s safe boot chain, a safety mechanism constructed into its chips that ensures a telephone begins safely and solely with approved software program throughout startup.
In a press release shared with Cointelegraph, Ledger defined that the flaw meant an attacker with entry to an Android telephone might join it to a pc by way of USB and bypass safety protections, doubtlessly having access to delicate knowledge on the system, together with crypto pockets seed phrases.
Round 25% of Android telephones use the Trustonic Trusted Execution Setting (TEE) and MediaTek processors, which the safety flaw exploits.
Donjon demonstrated the hack by connecting a Nothing CMF Telephone 1 to a laptop computer and compromising the system’s safety in roughly 45 seconds.
“With out ever even booting into Android, the exploit mechanically recovered the telephone’s PIN, decrypted its storage, and extracted the seed phrases from the preferred software program wallets: Belief Pockets, Base, Kraken Pockets, Rabby, Tangem’s Cell Pockets and Phantom,” Ledger stated.
Whereas Ledger urged customers to replace their gadgets, a Ledger spokesperson informed Cointelegraph they “do not anticipate this to be an ongoing concern.”
Cell phones are by no means secure, Ledger says
With virtually 36 million people managing digital property on their telephones as of early 2025, even a single vulnerability might put a big variety of wallets in danger.
In December 2025, Ledger revealed that it examined an assault on the MediaTek Dimensity 7300 (MT6878), and bypassed its safety measures to achieve “full and absolute management over the smartphone, with no safety barrier left standing.”
Ledger chief know-how officer Charles Guillemet informed Cointelegraph in June 2020 that cell phones, whether or not Android or iPhone, are “very troublesome to have safe functions.”
Associated: SlowMist introduces Web3 safety stack for autonomous AI brokers
He strengthened an identical view on Wednesday, posting on X: “Smartphones aren’t constructed for safety. Even when powered off, consumer knowledge – together with pins & seeds – might be extracted in beneath a minute.”
“This analysis highlights a elementary architectural distinction: Normal-purpose chips are constructed for comfort. Safe Components are constructed for key safety. A devoted Safe Aspect isolates secrets and techniques from the remainder of the system, defending them even beneath bodily assault,” he stated.
Journal: All 21 million Bitcoins are at risk from quantum computers
