Research Shows MediaTek Phones Exposed to Weakness Threatening Wallets: Ledger

TLDR:

• Ledger uncovered a physical attack path that enables full control over MediaTek’s Dimensity 7300 chip.
• The flaw cannot be patched because the vulnerable boot ROM is hard-coded into the processor.
• Attackers with physical access can dump memory and run custom code at the chip’s highest privilege level.
• Mobile wallets face elevated risk because compromised devices expose private keys to hardware-level attacks.
  

Smartphone security has long centered on software threats, but new findings show a deeper risk inside the silicon. Ledger researchers revealed an “unpatchable” flaw in a recent MediaTek chip used widely across Android devices.

The issue allows full device compromise when attackers gain physical access to a lost or stolen phone. This raises new concerns for users who rely on mobile wallets for crypto self-custody.

Ledger Research Details Hardware Attack Path in MediaTek Chips

Ledger’s Donjon team evaluated the MediaTek Dimensity 7300 chip, which appears in many popular smartphones. 

The group focused on early boot stages where security controls enforce strict memory protections before Android loads. These controls are critical, since private keys stored on compromised devices could be exposed during low-level execution. 

According to Ledger’s blog, researchers found that attackers could bypass these safeguards with fault-injection techniques.

The Donjon team used electromagnetic fault injection to disrupt the boot ROM’s security checks. This approach targets instructions running at the chip’s highest privilege levels. 

Ledger’s blog reports that the attack let researchers read memory regions normally blocked by hardware filtering. The method produced full dumps of the boot ROM and associated system memory during startup.

With this information, the researchers explored paths to gain code execution inside the boot ROM. They targeted a WRITE command that restricts access to protected RAM. 

By timing electromagnetic pulses at precise intervals, the team bypassed the security filters and modified the return address on the boot ROM stack. This step allowed Return Oriented Programming, a technique often used in advanced exploitation.

Further testing showed that disabling the memory management unit let them execute custom code on the chip. Ledger noted that the attack succeeded once every few minutes due to rapid reboot cycles. This level of access granted full control at EL3, the processor’s highest privilege tier.

Mobile Wallets Face Elevated Risk From Physical Compromise

The flaw matters because smartphones remain central to everyday crypto use. Ledger’s blog highlights that lost or stolen phones expose users to hardware attacks beyond malware or remote exploits. 

Many mobile wallets rely on a phone’s secure execution environment, yet the discovery shows hardware defenses are still vulnerable to chip-level interference.

The MediaTek boot ROM cannot receive software patches because it is hard-coded into the processor. Ledger disclosed the issue to MediaTek in May 2025, and the company notified affected smartphone vendors. 

Devices using the Dimensity 7300 remain susceptible if attackers can open the phone and access the board directly.

The findings reinforce Ledger’s long-standing argument that critical private keys should reside in dedicated hardware wallets. The research also shows that even modern chips built on advanced process nodes remain exposed to physical manipulation. 

Wallet developers may need to reassess how mobile environments fit into their threat models.

The post Research Shows MediaTek Phones Exposed to Weakness Threatening Wallets: Ledger appeared first on Blockonomi.