alac: Explained: What is the ALAC bug and how it left millions of Android devices exposed to attacks

Technology
By Krishna Rao
0

Apple developed an audio format called Apple Lossless Audio Codec (ALAC) in 2004 to use in iTunes. This audio format offered lossless data compression. The format was adopted by companies worldwide when Apple open-sourced it in 2011. Now a new report suggests that a bug in the ALAC can impact two-thirds of Android devices that were sold in 2021 and the unpatched devices are vulnerable to takeover by hostile attackers.
What is the ALAC bug?
According to a report by Check Point Research, Apple has continued updating its own ALAC version over the years, meanwhile, the open-source version has not been updated with any security fixes since it was announced in 2011. The lack of security fixes has allowed an unpatched vulnerability to be included in processors developed by Qualcomm and MediaTek.
What makes the bug so dangerous?
The report suggests that both MediaTek and Qualcomm have included the compromised ALAC code in their chipsets’ audio decoders. This vulnerability can be used by a hacker on a malformed audio file to initiate a remote code execution attack (RCE). For RCE attacks, hackers don’t need to have physical access to the target device and can execute the attack remotely. This makes RCE the most dangerous kind of hacking attack.
Hackers can gain control over a user’s media files and access the camera’s streaming functionality using the malformed audio file. This bug can also be used to give specific Android apps some additional permissions that will help the hacker with access to the user’s conversations. Considering MediaTek and Qualcomm’s market share in the global mobile chip, the report claims that this issue impacts two-thirds of all Android phones sold in 2021. However, both the companies issued fixes in December 2021 which were eventually sent downstream to the device manufacturers.
Another report by Ars Technica mentions that the vulnerability raises some serious questions about the steps that Qualcomm and MediaTek are taking to make sure the security of the code they are implementing. Hopefully, the seriousness of this mishap might instigate changes that will focus on keeping the users safe.

FOLLOW US ON GOOGLE NEWS

Related Posts

How is eBPF Revolutionizing Kubernetes Scaling

Seamless CI/CD Integration: The Role of Monitoring as Code

 

Read original article here

Denial of responsibility! TechnoCodex is an automatic aggregator of the all world’s media. In each content, the hyperlink to the primary source is specified. All trademarks belong to their rightful owners, all materials to their authors. If you are the owner of the content and do not want us to publish your materials, please contact us by email – [email protected]. The content will be deleted within 24 hours.

Continue Reading
Krishna Rao 42216 posts 0 comments

I'm a video editor and a YouTuber. Loves blogging, vegan, love socializing.

Leave a comment