mediatek security flaw
News

MediaTek Security Flaw Exposes Crypto Seeds in 45 Seconds

Rodrigo Minton
Rodrigo Minton
18 March 2026 4 Min Read
1 0

MediaTek patched a chipset vulnerability in January that let attackers steal cryptocurrency seed phrases in under a minute. Physical USB access and the right software. That’s all it took.

The MediaTek security flaw came from the company’s secure boot chain—a mechanism that’s supposed to ensure phones start safely with authorized software only. Ledger’s white-hat security team, Donjon, discovered the weakness and reported it to MediaTek before a patch rolled out January 5th. Users who haven’t installed the latest security updates remain exposed.

Donjon demonstrated the attack on a Nothing CMF Phone 1. Plugged into a laptop via USB. Compromised in 45 seconds. The phone never even booted into Android. The exploit automatically recovered the device PIN, decrypted storage, and extracted seed phrases from Trust Wallet, Base, Kraken Wallet, Rabby, Tangem’s Mobile Wallet, and Phantom.

Not ideal.

The vulnerability affects roughly 25% of Android phones—those running MediaTek processors with Trustonic’s Trusted Execution Environment. That’s millions of devices. The MediaTek security flaw meant an attacker with physical access could connect a phone to a computer, bypass security protections, and access sensitive data. Crypto wallet seed phrases included.

**How the Attack Worked**

Secure boot is supposed to be the foundation. It verifies that only trusted software runs when a phone starts. The MediaTek security flaw broke that chain. Once bypassed, the entire security model collapsed.

Attacker connects phone to laptop via USB. Runs exploit software. Secure boot fails to stop unauthorized code execution. PIN protection: bypassed. Storage encryption: broken. Seed phrases: extracted. Total time: under a minute.

Ledger tested the attack on MediaTek’s Dimensity 7300 chipset (model MT6878). They gained “full and absolute control over the smartphone, with no security barrier left standing.” Their words, not mine. In December, they revealed those test results. The patch came three weeks later.

**The Bigger Problem**

This isn’t the first time mobile security has failed crypto users. Won’t be the last.

Charles Guillemet, Ledger’s chief technology officer, put it plainly Wednesday: “Smartphones aren’t built for security. Even when powered off, user data—including pins & seeds—can be extracted in under a minute.”

I’ve said similar since 2020. Mobile phones, Android or iPhone, are difficult environments for secure applications. They’re general-purpose devices optimized for convenience, not key protection. The architecture doesn’t isolate secrets properly. Every app shares the same operating system. One breach in the boot chain and everything’s accessible.

Guillemet explained the fundamental issue: “General-purpose chips are built for convenience. Secure Elements are built for key protection.” Secure Elements isolate cryptographic keys from the rest of the system. They resist physical attacks. Standard mobile processors don’t.

Around 36 million people manage digital assets on phones as of early 2025. Even a single vulnerability puts significant wallet balances at risk. The MediaTek security flaw demonstrates why dedicated hardware wallets exist. Phones handle too many functions. Attack surface too large. One compromised component exposes everything.

**What Users Should Do**

Update immediately. January security patches from MediaTek close this specific vulnerability. Settings → Security → System Update. Install whatever’s pending.

But understand the limitation. Patching this flaw doesn’t make mobile wallets secure. It closes one attack vector. Others remain. Physical access will always pose risks for general-purpose devices.

Ledger’s spokesperson told media they “don’t anticipate this to be an ongoing issue” post-patch. That’s true for this specific exploit. The broader architectural weakness persists. Future researchers will find new ways to bypass mobile security. They always do.

For significant holdings, hardware wallets remain the standard. Secure Element chips. Isolated environments. Air-gapped from internet connectivity. Not perfect, but orders of magnitude better than trusting a phone’s secure boot chain.

**Disclosure Timeline**

Ledger discovered the vulnerability during routine chipset security testing. They contacted MediaTek privately before public disclosure. Responsible disclosure window allowed MediaTek to develop and deploy the January 5th patch. Users who enable automatic security updates received the fix within days. Manual update users: check now.

The affected wallets—Trust Wallet, Base, Kraken Wallet, Rabby, Tangem Mobile, Phantom—didn’t have software vulnerabilities themselves. The flaw sat deeper. Operating system level. Once secure boot failed, no app-level security mattered. Storage decryption bypassed. Everything readable.

**Industry Context**

Mobile chipset vulnerabilities appear regularly. Qualcomm patched similar issues in 2023 and 2024. Apple’s Secure Enclave faced scrutiny after 2022 research showed theoretical attack vectors. MediaTek joins a long list of processor manufacturers racing to patch boot chain weaknesses.

The difference with crypto: irreversibility. Bank account compromised? Fraud protection might recover funds. Seed phrase stolen? Attacker drains the wallet. No reversal mechanism. No customer support line. The 12 or 24 words are the money.

That’s why hardware wallet makers spend years hardening Secure Element implementations. Why they undergo Common Criteria certification. Why they use tamper-resistant chips that physically destroy keys under attack. General-purpose phone processors can’t match that threat model.

Question is whether the 36 million mobile wallet users understand the risk. Most don’t. They see “encrypted storage” and “biometric security” and assume protection. This vulnerability proves otherwise. Encryption means nothing if the decryption key is extractable. Biometrics fail when boot security is bypassed.

**What’s Next**

MediaTek’s patch stops this specific attack. Security researchers will probe for the next weakness. The cycle continues.

For users storing serious value on phones: migrate to hardware wallets. For small amounts and daily transactions: update immediately and enable auto-updates. For everyone: understand that convenience and security remain opposing forces.

Ledger’s research serves as reminder. Mobile phones are computers. Computers are hackable. Always have been.

Patch deployed. Vulnerability closed. Next exploit: just a matter of time.

Share Article

Rodrigo Minton

Rodrigo Minton

Rodrigo Minton is a cryptocurrency analyst and blockchain technology writer. Having followed the digital asset space since the early days of Bitcoin, he specializes in breaking down crypto market trends, DeFi innovations, and regulatory developments. Rodrigo's passion lies in making blockchain technology accessible to mainstream audiences while maintaining technical accuracy. His work focuses on identifying emerging projects, analyzing token economics, and exploring the intersection of traditional finance and digital assets. Outside of crypto, Rodrigo is an avid traveler and amateur photographer.

  • bitcoinBitcoin (BTC) $ 73,968.00 0.06%
  • ethereumEthereum (ETH) $ 2,315.31 0.3%
  • tetherTether (USDT) $ 1.00 0.01%
  • xrpXRP (XRP) $ 1.51 0.15%
  • bnbBNB (BNB) $ 672.34 0.37%
  • usd-coinUSDC (USDC) $ 0.999900 0%
  • solanaSolana (SOL) $ 93.79 0.17%
  • tronTRON (TRX) $ 0.303518 0.43%
  • staked-etherLido Staked Ether (STETH) $ 2,265.05 3.46%
  • cardanoCardano (ADA) $ 0.287360 0.06%
  • avalanche-2Avalanche (AVAX) $ 10.22 0.64%
  • the-open-networkToncoin (TON) $ 1.33 0.51%