According to The Block, the security research team Ledger Donjon has discovered an unfixable boot ROM vulnerability in the MediaTek Dimensity 7300 (MT6878) chip. Attackers can exploit electromagnetic fault injection (EMFI) techniques to inject precisely timed electromagnetic pulses during the device's boot-up phase, bypassing security checks to gain maximum privileges and steal the mnemonic phrases of cryptocurrency wallets stored in the device's memory.
The uniqueness of this vulnerability lies in its roots in the chip's read-only boot firmware, representing a hardware-level defect that cannot be patched through system updates, firmware patches, or software upgrades. This means that any device equipped with this chip, if it falls into the hands of an attacker, could face serious risks of key leakage.
This vulnerability has significant implications for users of Android hot wallets. Although the success rate of a single attack is only between 0.1% and 1%, under conditions of frequent device restarts, attackers could complete the breach within minutes. This directly undermines the assumption that so-called “Web3 phones” are secure at the device level, shifting the threat model from remote attacks to physical contact attacks.
MediaTek officially responded that EMFI attacks are not within the security design scope of this chip, and therefore no related protections are provided. Given that the attack requires physical contact, this vulnerability primarily poses a substantial threat to lost or stolen devices.
To mitigate risks, users are advised to take the following measures: First, migrate keys and mnemonic phrases to dedicated hardware wallets or independent devices with Secure Elements, which are designed to resist physical extraction and fault injection; second, avoid storing mnemonic phrases on the phone for extended periods, keeping only small transaction balances for daily spending, while large assets should be managed using cold wallets; third, promptly install system and security patches released by manufacturers, which, while not fixing the core vulnerability, can reduce other attack surfaces; finally, if it is necessary to use a wallet on an affected device, enable all system security features, ensure backups are stored offline, and immediately rotate any exposed keys after transferring funds.
This incident once again highlights that smartphones are not secure storage mediums for cryptocurrency assets. As Web3 applications become more widespread, users need to reassess their device trust models, prioritizing hardware wallets over relying on built-in phone features.