A new study by Checkpoint discovered vulnerabilities in the Apple Lossless Audio Codec, or ALAC format, that could have led an attacker to remotely get access to its media and audio conversation. ALAC is an audio coding format, developed by Apple for lossless data compression of digital music.
Two of the largest mobile chipset manufacturers in the world, MediaTek and Qualcomm used the ALAC audio coding in their widely distributed mobile handsets, putting millions of Android users’ privacy at risk.
Check Point claims that Qualcomm and MediaTek ported the vulnerable ALAC code into their audio decoders, which are used in more than half of all smartphones worldwide. The study claims that two-thirds of all smartphones sold in 2021 are vulnerable to this attack.
MediaTek assigned CVE-2021-0674 and CVE-2021-0675 to the ALAC issues. The vulnerabilities were already fixed and published last year. Qualcomm released the patch for CVE-2021-30351 in the Qualcomm Security Bulletin last year.
The ALAC issues, found by the researchers, could be used by an attacker for remote code execution attack (RCE) on a mobile device through a malformed audio file. RCE attacks allow an attacker to remotely execute malicious code on a computer.
The impact of an RCE vulnerability can range from malware execution to an attacker gaining control over a user’s multimedia data, including streaming from a compromised machine’s camera. An unprivileged Android app could also use these vulnerabilities to escalate its privileges and gain access to media data and user conversations.
See What’s Next in Tech With the Fast Forward Newsletter
Tweets From @varindiamag
Nothing to see here - yet
When they Tweet, their Tweets will show up here.
