Safety researchers stated they uncovered a vulnerability that might have allowed hackers to commandeer hundreds of thousands of Android gadgets outfitted with cellular chipsets made by Qualcomm and MediaTek.
The vulnerability resided in ALAC—quick for Apple Lossless Audio Codec and also called Apple Lossless—which is an audio format launched by Apple in 2004 to ship lossless audio over the Web. Whereas Apple has up to date its proprietary model of the decoder to repair safety vulnerabilities through the years, an open-source model utilized by Qualcomm and MediaTek had not been up to date since 2011.
Collectively, Qualcomm and MediaTek provide cellular chipsets for an estimated 95 p.c of US Android gadgets.
Distant bugging system
The buggy ALAC code contained an out-of-bounds vulnerability, that means it retrieved knowledge from outdoors the boundaries of allotted reminiscence. Hackers might exploit this error to drive the decoder to execute malicious code that in any other case could be off-limits.
“The ALAC points our researchers discovered may very well be utilized by an attacker for distant code execution assault (RCE) on a cellular system by means of a malformed audio file,” safety agency Test Level said on Thursday. “RCE assaults enable an attacker to remotely execute malicious code on a pc. The impression of an RCE vulnerability can vary from malware execution to an attacker gaining management over a consumer’s multimedia knowledge, together with streaming from a compromised machine’s digital camera.”
Test Level cited a researcher who instructed that two-thirds of all smartphones bought in 2021 are susceptible to the assault except they’ve obtained a patch.
The ALAC vulnerability—tracked as CVE-2021-30351 by Qualcomm and CVE-2021-0674 and CVE-2021-0675 by MediaTek—may also be exploited by an unprivileged Android app to escalate its system privileges to media knowledge and the system microphone, elevating the specter of eavesdropping on close by conversations and different ambient sound.
The 2 chipset producers submitted patches final 12 months to both Google or to system makers, which in flip delivered the patches to qualifying customers in December. Android customers who wish to know if their system is patched can verify the safety patch stage within the OS settings. If the patch stage reveals a date of December 2021 or later, the system is not susceptible. However many handsets nonetheless don’t obtain safety patches regularly, if in any respect, and people with a patch stage previous to December 2021 stay inclined.
The vulnerability calls into query the reliability of the open-source code that Qualcomm and MediaTek use and their strategies for sustaining its safety. If Apple can replace its proprietary ALAC codebase through the years to repair vulnerabilities, it’s regarding that the 2 chipset behemoths haven’t adopted swimsuit. The vulnerability additionally raises the query of what different open-source code libraries utilized by the chipmakers is perhaps equally outdated.
In a press release, Qualcomm officers wrote:
Offering applied sciences that assist strong safety and privateness is a precedence for Qualcomm Applied sciences. We commend the safety researchers from Test Level Applied sciences for utilizing industry-standard coordinated disclosure practices. Concerning the ALAC audio decoder concern they disclosed, Qualcomm Applied sciences made patches obtainable to system makers in October 2021. We encourage finish customers to replace their gadgets as safety updates have turn out to be obtainable.
MediaTek didn’t instantly reply to a message.
Test Level stated that it’s going to provide technical details of the vulnerability subsequent month on the CanSecWest conference in Vancouver.