Key Insights
- Ledger’s Donjon team discovered a vulnerability in the Mediatek Dimensity 7300 chip, showing that electromagnetic fault injection can bypass boot-level security and compromise smartphone-based crypto wallets.
- The attack allowed researchers to dump memory, disable security controls, and run code at the processor’s highest privilege level.
LONDON (MarketsXplora) — Ledger has warned that a newly discovered vulnerability in a widely used Android smartphone processor could place users of software-based web3 wallets at risk if attackers gain physical access to their devices.
The firm’s Donjon security team said it successfully demonstrated that a hardware fault-injection technique could bypass core protections in the Mediatek Dimensity 7300 (MT6878) chipset — a component found across numerous consumer Android models. Ledger stressed that its findings do not affect its own hardware wallets but reinforce the risks of relying on smartphone “hot wallets” to safeguard digital assets.
Electromagnetic Fault Injection Exposes Boot-Level Weaknesses
In research published Wednesday, Ledger detailed how the Donjon team examined whether electromagnetic fault injection (EMFI) could compromise the earliest stages of the chip’s boot process. While software vulnerabilities on smartphones have long been scrutinized, Ledger said physical attack vectors remain too often overlooked, especially given how frequently phones are lost or stolen.
Using open-source tools, the team showed that carefully timed electromagnetic pulses could disturb the chip’s boot ROM — the first, highest-privilege code executed when the device powers on. The disturbances caused the ROM to produce a linear dump of its memory and working RAM, giving researchers deep visibility into its internal behavior and revealing a viable attack path.
The team then used EMFI to bypass filtering in the chip’s write command, ultimately overwriting the return address on the boot ROM’s stack. This redirected execution flow, disabled the memory management unit, and allowed Ledger to run arbitrary code at EL3 — the processor’s most privileged level. Despite a low success rate of 0.1% to 1%, the attack could be repeated within minutes because the device can be rebooted continuously.
Ledger said the results confirm that even advanced smartphone processors remain susceptible to physical compromise. “This experiment confirmed what we very strongly suspected, namely that even complex chips built on the most advanced process nodes can be vulnerable to fault injection,” the researchers wrote, emphasising that secure elements — the hardened chips used in dedicated hardware wallets — remain critical for digital self-custody.
The vulnerability was disclosed to Mediatek in May. Ledger said the chipmaker responded quickly and notified affected manufacturers. Mediatek’s own assessment noted that EMFI attacks fall outside the security scope of the MT6878 chipset, which is intended for consumer devices rather than financial or hardware-security-module applications. It added that high-security products, such as crypto hardware wallets, are expected to include dedicated countermeasures.
Ledger said its findings strengthen the case for using dedicated secure hardware in a period where both digital and physical threats to crypto ownership continue to escalate.