A critical security weakness in MediaTek-powered Android phones could allow attackers to extract sensitive data within seconds, even if the device appears locked and powered down. The issue, demonstrated by Ledger’s Donjon security team, raises urgent questions about how keys and PINs are protected on devices that rely on a Trusted Execution Environment rather than a dedicated security chip.
Researchers Breach Phone Security in 45 Seconds
Ledger’s Donjon team used a CMF Phone 1 by Nothing to show how the vulnerability can be weaponized. By connecting the handset to a laptop, they bypassed Android entirely and, in roughly 45 seconds, recovered the device PIN, decrypted storage, and exfiltrated seed phrases from popular software cryptocurrency wallets. The exploit targets phones with MediaTek processors that implement Trustonic’s Trusted Execution Environment (TEE) for secure operations.
- Researchers Breach Phone Security in 45 Seconds
- How the Attack Works and Why It Still Matters
- Who Is at Risk on MediaTek-Powered Android Phones
- MediaTek Response and Patch Status Across OEMs
- Practical Steps to Reduce Risk Right Now
- TEE vs. Secure Elements: The Design Debate
- What to Watch Next as Patches Roll Out to Users
The flaw is tracked as CVE-2026-20435. Donjon says it followed responsible disclosure and notified MediaTek before publishing details. The demonstration underscores that the attack works pre-boot, meaning Android protections, lock screen policies, and USB debugging settings offer little resistance once the exploit is in play.
How the Attack Works and Why It Still Matters
Many MediaTek devices use a TEE—a protected area inside the main application processor—to store keys and handle sensitive cryptographic tasks. While isolated in software and privileged in hardware, the TEE still lives on the same silicon as the rest of the system. Donjon’s work shows that if an attacker can subvert early-boot or low-level trust anchors, they can potentially coerce the TEE into divulging secrets.
This is not a remote, over-the-air compromise; it requires physical access and a USB connection. But that does not make it niche. Phone theft, border searches, repair-shop mishandling, or targeted seizures are common real-world scenarios. If a device can be unlocked or decrypted at the pre-boot stage, data-at-rest safeguards, enterprise policies, and wallet protections can unravel quickly.
Who Is at Risk on MediaTek-Powered Android Phones
MediaTek chips power a vast share of Android phones across price tiers, from entry-level Helio series to flagship Dimensity platforms. According to Counterpoint Research, MediaTek has ranked among the top suppliers of smartphone application processors for multiple consecutive quarters, meaning the potential exposure spans millions of devices globally.
Models from major brands that have shipped MediaTek variants—including OPPO, vivo, OnePlus, and Samsung—could be affected if they use the impacted TEE implementation. MediaTek’s security bulletin enumerates specific processors; users should compare their chipset model and apply the latest device update as soon as it becomes available from the manufacturer.
MediaTek Response and Patch Status Across OEMs
MediaTek confirmed it provided a fix to device makers following Donjon’s report. As is typical in the Android ecosystem, the patch must be integrated by each OEM and delivered via a firmware update. Rollout timing will vary by brand and region, and some older models may not receive updates promptly—or at all—depending on lifecycle policies.
Users should check their phone’s system update menu and review security patch notes from their manufacturer. Enterprises should verify build fingerprints and firmware versions against MediaTek and OEM advisories before allowing at-risk devices to access sensitive corporate resources.
Practical Steps to Reduce Risk Right Now
Install the latest OEM and carrier updates immediately. If you use software-based crypto wallets, consider moving seed phrases to a hardware wallet or secure offline storage until your device is confirmed patched. Use a long alphanumeric passcode, disable OEM unlocking, and keep Find My Device enabled for remote lock or wipe in case of loss or theft. Where available, enable settings that restrict USB accessories until the device is unlocked—though this exploit’s pre-boot nature may limit the effectiveness of OS-level toggles.
For IT teams, enforce minimum firmware levels via mobile device management, disable USB data access when locked, and require strong device attestation for high-trust workflows. Assume physical-access attacks are in scope for executives, travelers, and staff handling regulated data.
TEE vs. Secure Elements: The Design Debate
The incident rekindles a long-running debate about storing secrets in a TEE on the main chip versus isolating them in a discrete security processor. Devices such as Google’s Pixel with Titan M2, Apple’s iPhones with Secure Enclave, and select Snapdragon-based phones with Qualcomm’s Secure Processing Unit exemplify the latter approach. Ledger’s researchers argue that purpose-built Secure Elements provide stronger resistance to physical and pre-boot attacks by separating critical keys from the application processor.
Donjon previously highlighted fault-injection weaknesses in the MediaTek Dimensity 7300, to which MediaTek responded that such lab-grade attacks fell outside the chipset’s intended threat model. The new finding suggests consumers and vendors may need to recalibrate expectations as attackers increasingly target silicon-level trust boundaries.
What to Watch Next as Patches Roll Out to Users
Expect OEMs to publish patch notes referencing the CVE and updated firmware builds for affected models. Security researchers will likely probe other TEE implementations for similar pre-boot exposures. In the meantime, the safest course is simple: update early, verify often, and keep the most sensitive secrets—like wallet seed phrases—off general-purpose smartphones unless you’re confident the device has received the fix.
