Millions on Android devices exposed by Apple’s unpatched lossless codec flaw: researchers

Security flaws in an audio codec have been discovered by security researchers, putting millions of Android phones and other Android devices powered by chipsets from MediaTek and Qualcomm at risk of being compromised by hackers. Stemming from a codec created by Apple several years ago, the vulnerabilities have not been patched since the company opened the codec up 11 years ago for inclusion on non-Apple devices. By taking advantage of security vulnerabilities, an attacker could remotely access media and audio conversations from an Android phone, researchers say.

According to a report by researchers at Check Point Research, a flaw in Apple’s Apple Lossless Audio Codec (ALAC) allows an attacker to perform a remote code execution (RCE) attack on a target smartphone, after having sent a malformed audio file. An RCE attack can allow the attacker to take control of multimedia on the handset, including streaming video from cameras, access to user media and conversations.

The security flaws were discovered in Apple’s ALAC codec, which was open-sourced by the company in 2011 – allowing non-Apple devices to stream music in “lossless” quality using Apple’s previously proprietary codec. Apple. However, while Apple patched the proprietary version of the ALAC codec, the open source version was not patched, according to the researchers.

As a result, Qualcomm and MediaTek, the chipset makers that ported the vulnerable ALAC codec to their audio decoders, left more than two-thirds of all smartphones sold in 2021 vulnerable to security flaws, dubbed “ALHACK”, researchers say. . The vulnerabilities were responsibly disclosed to Qualcomm and MediaTek, who both acknowledged the issues and assigned Common Vulnerabilities and Exposures (CVEs) to the flaws. MediaTek assigned CVE-2021-0674 and CVE-2021-0675 (with “Medium” and “High” ratings, respectively), while Qualcomm assigned CVE-2021-30351 (with a “Critical” rating of 9.8 out of 10) for the ALAC flaws, before fixing them.

According to the researchers, the two companies released patches for the flaws included in the December 2021 Android security bulletin, which means that smartphone users who received the December security patches should be safe from the vulnerabilities. However, this excludes millions of users running outdated software or users who receive erratic security updates, putting them at risk of being compromised by attackers.


Not all news on the site expresses the point of view of the site, but we transmit this news automatically and translate it through programmatic technology on the site and not from a human editor.
Back to top button