Apple developed an audio format called Apple Lossless Audio Codec (ALAC) in 2004 to use in iTunes. This audio format offered lossless data compression. The format was adopted by companies worldwide when Apple open-sourced it in 2011. Now a new report suggests that a bug in the ALAC can impact two-thirds of Android devices that were sold in 2021 and the unpatched devices are vulnerable to takeover by hostile attackers.
What is the ALAC bug?
According to a report by Check Point Research, Apple has continued updating its own ALAC version over the years, meanwhile, the open-source version has not been updated with any security fixes since it was announced in 2011. The lack of security fixes has allowed an unpatched vulnerability to be included in processors developed by Qualcomm and MediaTek.
What makes the bug so dangerous?
The report suggests that both MediaTek and Qualcomm have included the compromised ALAC code in their chipsets’ audio decoders. This vulnerability can be used by a hacker on a malformed audio file to initiate a remote code execution attack (RCE). For RCE attacks, hackers don’t need to have physical access to the target device and can execute the attack remotely. This makes RCE the most dangerous kind of hacking attack.
Hackers can gain control over a user’s media files and access the camera’s streaming functionality using the malformed audio file. This bug can also be used to give specific Android apps some additional permissions that will help the hacker with access to the user’s conversations. Considering MediaTek and Qualcomm’s market share in the global mobile chip, the report claims that this issue impacts two-thirds of all Android phones sold in 2021. However, both the companies issued fixes in December 2021 which were eventually sent downstream to the device manufacturers.
Another report by Ars Technica mentions that the vulnerability raises some serious questions about the steps that Qualcomm and MediaTek are taking to make sure the security of the code they are implementing. Hopefully, the seriousness of this mishap might instigate changes that will focus on keeping the users safe.