Security researchers from Ledger have uncovered vulnerabilities in widely used smartphone chips that could allow attackers with physical access to bypass device protections and extract sensitive data in under a minute. The findings highlight risks for users who store crypto wallet credentials or other critical data directly on mobile devices.
The research comes from Ledger’s security unit, Ledger Donjon, which investigated the security of modern smartphone processors and discovered that certain hardware-level attacks can compromise the boot process before Android even starts.
According to the researchers, the flaw affects devices that rely on processors from MediaTek and the Trusted Execution Environment developed by Trustonic.
Exploit retrieves sensitive data in seconds
Ledger’s internal research team identified the vulnerability earlier this year. The issue allows an attacker with physical access to connect a compromised smartphone to a computer using a USB cable and bypass key security protections embedded in the device’s secure boot chain.
Charles Guillemet wrote on X that the exploit could retrieve sensitive data without even launching the Android operating system.
“Without ever even booting into Android, the exploit automatically recovered the phone’s PIN, decrypted its storage, and extracted the seed phrases from the most popular software wallets,” Guillemet said.
The attack demonstration targeted a Nothing CMF Phone 1 device. Researchers connected the phone to a laptop and compromised the system in about 45 seconds.
Once successful, the exploit allowed attackers to recover the device’s unlock PIN, decrypt internal storage, and extract crypto wallet credentials.
Researchers said the flaw could expose seed phrases from widely used mobile wallets such as Trust Wallet, Phantom, Kraken Wallet, Rabby Wallet, Tangem Mobile Wallet, and Base Wallet, because these applications store credentials locally on the device.
The vulnerability originates in the secure boot chain, which verifies system integrity before loading the operating system. Because this stage runs at the highest privilege level, a successful exploit grants attackers deep control over the device.
Hardware attack bypasses early boot protections
Ledger engineers also carried out a separate experiment on the MediaTek Dimensity 7300 system-on-chip, which powers many Android smartphones.
The team used electromagnetic fault injection to disrupt the chip during the earliest stages of its boot process. The technique involves sending short electromagnetic pulses to the processor while it executes instructions. If timed precisely, the pulses can cause the chip to skip or corrupt instructions.
Through this approach, researchers bypassed security checks that normally restrict access to memory operations. They eventually manipulated the processor’s execution flow and achieved arbitrary code execution at the most privileged processor level.
In practical terms, that level of access allows complete control over the smartphone.
The attack success rate ranged from 0.1% to 1%, but the researchers repeated the process by rebooting the device and injecting pulses repeatedly. This made a successful compromise possible within minutes.
Patch released, but some devices remain exposed
MediaTek released a patch for the earlier vulnerability in January after Ledger privately disclosed the findings. The update addressed flaws in the secure boot chain that allowed the USB-based exploit.
However, users who have not installed the latest security updates may still face potential exposure.
According to Ledger, about 25% of Android smartphones use MediaTek processors combined with Trustonic’s Trusted Execution Environment, which means the flaw could affect a significant portion of devices.
The scale of potential risk increases because many crypto users rely on smartphones to manage digital assets. Estimates cited by Ledger suggest roughly 36 million people manage crypto funds through mobile devices.
Smartphones remain vulnerable to physical attacks
Ledger’s research focuses on a broader security question: whether smartphones can safely store private cryptographic keys.
Mobile devices prioritize usability and general computing features. Hardware wallets, by contrast, focus solely on protecting cryptographic secrets.
Guillemet highlighted the architectural difference in his comments on X.
“Smartphones aren’t built for security. Even when powered off, user data - including pins & seeds - can be extracted in under a minute.”
The research also reinforces the argument that sensitive keys should be isolated in dedicated hardware.
“A dedicated Secure Element isolates secrets from the rest of the system, protecting them even under physical attack,” Guillemet wrote.
Ledger’s own security blog described how secure elements use specialized chips designed to resist hardware attacks such as fault injection. These chips follow security standards similar to those used in payment cards.
Research timeline and disclosure
The Ledger Donjon team began studying the smartphone chip vulnerabilities in February 2025 and achieved arbitrary code execution in the boot ROM by early May of the same year.
After confirming the exploit, the researchers reported the findings to MediaTek’s security team. The chipmaker notified device manufacturers and issued updates to address the issue.
MediaTek stated that electromagnetic fault injection attacks fall outside the standard threat model for consumer smartphone chips. The company noted that such processors are not designed with the same hardware protections used in specialized security devices such as hardware security modules.
Still, the findings illustrate how physical access to a smartphone can dramatically expand the range of possible attacks.
For crypto users and security engineers alike, the research serves as a reminder that software protections alone cannot fully secure devices that store valuable digital assets.
Anastasiia G
Disclaimer: All materials on this site are for informational purposes only. None of the material should be interpreted as investment advice. Please note that, despite the nature of much of the material created and hosted on this website, HODL FM operates as a media and informational platform, not a provider of financial advisory services. The opinions of authors and other contributors are their own and should not be taken as financial advice. If you require advice, HODL FM strongly recommends contacting a qualified industry professional.
