[German]Security researchers from Check Point Research have also encountered vulnerabilities in the Apple Lossless Audio Codec (ALAC). The vulnerabilities endanger the privacy of Android users because attackers can access user data. This affects devices with both MediaTek and Qualcomm CPUs.
Advertising
Qualcomm and MediaTek, the largest manufacturers of cell phone chipsets, used vulnerable audio decoders in smartphones. Security researchers at Check Point Research (CPR), have discovered vulnerabilities in Qualcomm and MediaTek audio decoders. An attacker could have continued to gain access to media and audio calls. CPR estimates that more than two-thirds of all cell phones worldwide have been vulnerable at some point in recent years. The vulnerable portion is based on code that was released by Apple eleven years ago but has not been maintained.
The vulnerabilities were found in the Apple Lossless Audio Codec (ALAC), also known as Apple Lossless. ALAC is a well-known audio encoding format developed by Apple and first introduced in 2004 for lossless data compression of digital music. In late 2011, Apple made the codec available as open source. Since then, the ALAC format has been embedded in many non-Apple audio playback devices and applications. These include Android-based smartphones, Linux and Windows media players, and converters.
Since then, Apple has updated the proprietary version of the decoder several times and fixed security vulnerabilities, but the common code has not been updated since 2011. Many third-party vendors use the Apple-provided code as the basis for their own ALAC implementations, and it is likely that many of them do not maintain the external code. CPR has found that Qualcomm and MediaTek, two of the world's largest mobile chipset manufacturers, have ported the vulnerable ALAC code into their audio decoders, which are used in more than half of all smartphones worldwide. According to IDC, a whopping 48.1 percent of all Android phones sold in the U.S. in the fourth quarter of 2021 were powered by MediaTek, while Qualcomm currently holds a 47 percent market share there.
The ALAC issues found by the researchers could be used by an attacker to launch a remote code execution (RCE) attack on a mobile device via a malformed audio file. RCE attacks allow a hacker to remotely execute malicious code on a computer. The impact of an RCE vulnerability can range from executing malware to taking control of a user's multimedia data, including streaming from an infected device's camera. Also, an Android application could exploit these vulnerabilities to elevate its privileges and gain access to media data and user conversations.
CPR shared the information with MediaTek and Qualcomm and worked closely with both vendors to ensure these vulnerabilities were fixed. MediaTek assigned CVE-2021-0674 and CVE-2021-0675 to the ALAC issues. The vulnerabilities have already been fixed and published in the December 2021 MediaTek Security Bulletin. Qualcomm published the patch for CVE-2021-30351 in the December 2021 Qualcomm Security Bulletin, and CPR has given users time to apply the patches. Until then, the devices were vulnerable.
Advertising
Slava Makkaveev, reverse engineering & security research at Check Point Software Technologies, said, "We discovered a number of vulnerabilities that could be exploited for remote execution and privilege escalation on two-thirds of the world's mobile devices. The vulnerabilities were easily exploitable. A hacker could have sent a song (or any media file) and, when played by a victim, injected code into the privileged media service. The hacker could have seen what the cell phone user was seeing on their phone. In our proof of concept, we were able to steal the phone's camera stream. What is the most sensitive information on a phone? I think it's the media files: Audio and video. An attacker could have stolen them through these vulnerabilities. The vulnerable decoder is based on code released by Apple 11 years ago."
Note: CPR is not disclosing the technical details of its research findings at this time. Those details will be presented at the CanSecWest conference in May 2022. Details can be found in this blog post.
