Apple developed an audio format called Apple Lossless Audio Codec (ALAC) in 2004 for use in iTunes. This audio format offers lossless data compression. The format was adopted by companies around the world when Apple open-sourced it in 2011. Now a new report suggests it has a bug ALAC may affect two-thirds Android Devices that were sold in 2021 and devices with no patches are vulnerable to acquisition by hostile attackers.
What is ALAC Bug?
According to a report by Check Point Research, Apple has continued to update its own ALAC version over the years, meanwhile, the open-source version hasn’t been updated with any security improvements since it was announced in 2011. has gone. The lack of security fixes allowed an unpublished vulnerability to be included in the processor developed by Qualcomm And mediatek,
What makes a bug so dangerous?
Reports suggest that both MediaTek and Qualcomm have included the compromised ALAC code in the audio decoders of their chipsets. This vulnerability can be used by a hacker to launch a Remote Code Execution Attack (RCE) on a malformed audio file. For RCE Attacks, hackers do not need physical access to the target device and can execute the attack remotely. This makes RCE the most dangerous type of hacking attack.
Hackers can gain control over a user’s media files and access the camera’s streaming functionality by using a garbled audio file. This bug can also be used to give certain additional permissions to specific Android apps which will help hackers to access user interactions. Taking into account MediaTek and Qualcomm’s market share in global mobile chips, the report claims that this problem will affect two-thirds of all Android phones sold in 2021. However, both companies released fixes in December 2021 which were eventually shipped downstream to device makers.
Another report by Ars Technica mentions that the vulnerability raises some serious questions about the steps that Qualcomm and MediaTek are taking to ensure the security of the code they are implementing. Hopefully, the severity of this crash may prompt changes that will focus on keeping users safe.