Check Point Research has identified vulnerabilities in the ALAC format which is used by the largest mobile chip manufacturers, Qualcomm and MediaTek. The vulnerability dubbed "ALHACK" could have led an attacker to remotely get access to its media and audio conversations.
Qualcomm and MediaTek, two of the largest mobile chipset makers in the world, ported the vulnerable ALAC code into their audio decoders, which are used in more than half of all smartphones worldwide. Both chips manufacturers, used the ALAC audio coding in their widely distributed mobile handsets, putting millions of Android users’ privacy at risk.
What is ALAC?
ALAC is an audio coding format developed by Apple Inc, known as Apple Lossless Audio Codec (ALAC), aka Apple Lossless. Apple introduced ALAC in 2004 for lossless data compression of digital music and later on the company made the codec open source. Since then, the ALAC format has been embedded in many non-Apple audio playback devices and programs, including Android-based smartphones, Linux and Windows media players, and converters.
After Apple make the ALAC code open source in 2011, the shared code has not updated. Many third-party vendors use the Apple-supplied code as the basis for their own ALAC implementations, and it’s fair to assume that many of them do not maintain the external code.
Outdated codec leads to RCE in millions of devices
According to the Check Point Research, attackers can gain remote code execution on a mobile device through a malformed audio file. RCE attacks allow an attacker to remotely execute malicious code on a computer. The impact of an RCE vulnerability can range from malware execution to an attacker gaining control over a user’s multimedia data, including streaming from a compromised machine’s camera.
An unprivileged Android app could also exploit these vulnerabilities to escalate its privileges and gain access to media data and user conversations.
Qualcomm and MediaTek acknowledged the vulnerabilities flagged by CPR, putting patches and fixes in response. CPR noted that MediaTek assigned CVE-2021-0674 and CVE-2021-0675 and Qualcomm assigned CVE-2021-30351 to this issue. Both chip manufacturers have released the fix and published it in the December 2021 MediaTek Security Bulletin and Qualcomm Security Bulletin.