Security researchers have uncovered a severe vulnerability in MediaTek-powered Android phones that allows sensitive user data to be stolen even when the device is turned off. Discovered by Donjon, the hardware security research team at crypto hardware wallet company Ledger, this flaw potentially affects millions of devices utilizing Trustonic’s Trusted Execution Environment (TEE).
MediaTek Powered CMF Phone 1 Hacked in Just 45 Seconds
Ledger CTO Charles Guillemet stated that the team used Nothing’s CMF Phone 1 to demonstrate the exploit, gaining access to the phone’s protected data in less than a minute. By connecting the phone to a laptop, the team managed to bypass the device’s core security in just 45 seconds.
According to researchers, this exploit works without even needing to boot the Android operating system. The attack begins automatically as soon as the phone is connected to a computer. Through this method, an attacker can obtain the device’s PIN, decrypt storage, and export seed phrases (recovery keys) for popular cryptocurrency wallets.
Hardware Security Disparity: TEE vs. Dedicated Security Chips
Many MediaTek devices rely on the Trusted Execution Environment (TEE)—a secure area within the main processor—to protect sensitive data. In contrast, devices like Pixels, iPhones, and many Snapdragon-powered phones use dedicated hardware security processors such as Titan M2, Secure Enclave, or the Qualcomm Secure Processing Unit to keep information entirely separate from the main chip. Guillemet emphasizes that while general-purpose chips are built for convenience, dedicated security chips are specifically designed to protect against physical attacks.
Patch Status and Affected Brands
Identified as CVE-2026-20435, the vulnerability was reported to MediaTek before being made public. The company confirmed that it provided the necessary fixes to device manufacturers on January 5, 2026, and updates have begun rolling out. According to the processor manufacturer’s March security bulletin, affected processors are found in various models—ranging from entry-level to flagship—from brands including OPPO, vivo, OnePlus, and Samsung.
The Donjon team found similar vulnerabilities in the MediaTek Dimensity 7300 chipset last year, though MediaTek argued those attacks fell outside the chip’s intended threat model. It is currently unknown whether this new exploit has been used by malicious actors in the wild. What do you think about this vulnerability? Are you concerned about your data security, and which phone are you currently using?
{{user}} {{datetime}}
{{text}}