MediaTek Dimensity 7300 flaw can expose Android PINs and wallet data in under a minute
5 min. read 
Published on
A newly disclosed MediaTek security flaw can let a physical attacker break into some Android phones and recover highly sensitive data before Android even starts. Researchers say the issue can expose the device PIN, decrypt local storage, and pull crypto wallet recovery phrases from affected phones in about 45 seconds in a proof-of-concept attack.
The weakness sits in the boot ROM of the MediaTek Dimensity 7300, also known as MT6878. That matters because boot ROM is the first code that runs on the chip and it executes at the highest privilege level, well before Android loads. Ledger’s Donjon team says it achieved arbitrary code execution at EL3, which is the top hardware privilege level on the platform.
The attack is not remote. An attacker needs physical access to the phone, a wired connection, and specialized fault-injection equipment. Still, the result is serious because the compromise happens below the operating system, which lets an attacker bypass many normal Android protections. MediaTek says it issued fixes to device makers in January 2026 and that it is not aware of active exploitation in the wild at the time of its bulletin.
Ledger demonstrated the attack on the Nothing CMF Phone 1, which uses the Dimensity 7300. In public statements, Ledger CTO Charles Guillemet said researchers plugged the phone into a laptop and breached its foundational security within 45 seconds. Android Authority separately reported that the team recovered the PIN, decrypted storage, and extracted wallet data without booting Android.
Why this flaw matters
This is not a standard Android app bug. It targets the trust chain at the chip level. Ledger says smartphones can be lost or stolen, which means attackers do not always need malware or a remote exploit. If they can physically handle the device, early boot stages like boot ROM and bootloaders become a powerful target.
The bigger problem is durability. Ledger explains that boot ROM code is hard-coded into silicon, so the underlying hardware flaw itself cannot be fully removed with a normal software update. MediaTek can still reduce risk through mitigations and updated security logic delivered to OEMs, but the original silicon weakness remains a concern for affected hardware.
This also raises concerns for software wallets and other apps that rely on the phone as a trusted base. Reports on Ledger’s findings say the team extracted seed phrases from apps including Trust Wallet, Kraken Wallet, Phantom, Base, Rabby, and Tangem’s mobile wallet during testing. Those app-specific results come from reporting on the research rather than MediaTek’s own bulletin, so admins and users should treat the wallet list as proof-of-concept exposure, not as a vendor-issued compatibility matrix.
What the attack targets
| Item | Details |
|---|---|
| Chip | MediaTek Dimensity 7300 / MT6878 |
| Attack type | Electromagnetic fault injection during early boot |
| Access needed | Physical access, USB connection, specialized equipment |
| Main impact | PIN recovery, storage decryption, pre-OS compromise |
| Privilege level reached | EL3, the highest hardware privilege level |
| Demo device | Nothing CMF Phone 1 |
| Patch status | MediaTek says it sent fixes to OEMs in January 2026 |
| Exploitation status | MediaTek says it has no evidence of active exploitation |
Source basis: Ledger Donjon research, MediaTek January 2026 bulletin, and follow-up reporting.
How the attack works
Ledger says the researchers used electromagnetic fault injection, or EMFI, to disturb the chip during boot. The technique sends a timed electromagnetic pulse near the processor so execution goes off course at a critical moment. According to Ledger, that gave researchers a way to bypass early security checks and run code at the chip’s highest privilege level.
Because the compromise happens before Android starts, many protections in the operating system never get a chance to help. That is why the attack can reach secrets that users usually assume stay protected when the phone is locked or powered off.
What users and enterprises should do now
- Install the latest vendor and OEM security updates available for your phone. MediaTek says it provided patches to device makers in January 2026.
- Check whether your device uses the Dimensity 7300 or MT6878 chipset.
- Treat physical device access as a bigger risk than usual for affected models.
- Avoid storing high-value crypto seed phrases on a standard smartphone if you can use a dedicated hardware wallet instead. This reflects Ledger’s security guidance and threat model.
- Use a strong PIN and keep devices with you, especially while traveling or at public events.
- For enterprise fleets, track OEM patch rollout status rather than assuming the silicon vendor patch reached end users immediately.
FAQ
No. The reported attack requires physical access to the phone, a USB connection, and specialized electromagnetic fault-injection hardware.
Not completely. Ledger says the flaw lives in boot ROM, which is etched into silicon. MediaTek has still issued patches and mitigations to OEMs that can reduce the practical attack path.
Ledger’s team demonstrated the attack on the Nothing CMF Phone 1, which uses the MediaTek Dimensity 7300.
MediaTek says it is not aware of active exploitation in the wild at the time of its January 2026 product security bulletin.
No, but affected users should take it seriously. This is a physical attack, not a mass remote worm. The bigger risk falls on stolen devices, targeted attacks, and people who store highly sensitive secrets such as wallet recovery phrases on their phones.
Read our disclosure page to find out how can you help VPNCentral sustain the editorial team Read more
Improve this guide
User forum
0 messages