beautiful pictures
Security researchers say they have discovered a vulnerability that could allow hackers to take control of millions of Android devices powered by mobile chipsets manufactured by Qualcomm and MediaTek.
The vulnerability resides in ALAC – which stands for Apple Lossless Audio Codec and is also known as Apple Lossless – which is an audio format introduced by Apple in 2004 to provide lossless audio over the Internet. While Apple has been updating its proprietary version of the codec to fix security vulnerabilities for years, an open source version used by Qualcomm and MediaTek hasn’t been updated since 2011.
Together, Qualcomm and MediaTek provide mobile chipsets for a estimates 95 percent of US Android devices.
Remote eavesdropping device
The error ALAC code contains a The hole is out of bounds, that is, it gets data from outside the bounds of the allocated memory. Hackers can exploit this mistake to force the decoder to execute malicious code that would otherwise be out of bounds.
“The ALAC issues that our researchers discovered can be used by attackers to attack remote code execution (RCE) on mobile devices via malformed audio files.” Check Point security company say on Thursday. “RCE attacks allow an attacker to remotely execute malicious code on a computer. The impact of an RCE vulnerability can range from malicious software execution to an attacker gaining control of a user’s multimedia data, including streaming from the compromised machine’s camera. offense”.
Check Point cites a researcher who has suggested that two-thirds of all smartphones sold in 2021 are vulnerable unless they receive a patch.
The ALAC vulnerability — tracked as CVE-2021-30351 by Qualcomm and CVE-2021-0674 and CVE-2021-0675 by MediaTek — can also be exploited by a privileged Android application to elevate the system privileges of the device. it for the device’s microphone and media data, raising the specter of eavesdropping on nearby chats and other ambient sounds.
Last year, two chipset manufacturers submitted patches to Google or to device manufacturers, which sent patches to eligible users in December. Android users want to know if their devices patched or not can check security patch level in operating system settings. If the patch level shows a date of December 2021 or later, the device is no longer vulnerable. But many handsets still don’t receive regular security patches, and those with patch levels before December 2021 are still vulnerable.
The security hole raises questions about the reliability of the open source code that Qualcomm and MediaTek use and their methods of maintaining security. If Apple can update its proprietary ALAC codebase over the years to fix vulnerabilities, it has something to do with the two chip giants’ failure to comply. The vulnerability also raises questions about whether other open source libraries used by chipmakers could be similarly outdated.
In a statement, Qualcomm officials wrote:
Delivering powerful privacy and security-enabled technologies is a priority for Qualcomm Technologies. We commend security researchers from Check Point Technologies for using industry-standard coordinated disclosure methods. Regarding the ALAC audio codec issue they disclosed, Qualcomm Technologies made the patches available to device manufacturers in October 2021. We encourage end users to update their devices as soon as possible. security updates are available.
MediaTek did not immediately respond to messages.
Check Point says it will Provide technical details of the vulnerability next month at Conference CanSecWest in Vancouver.
