Reports from Check Point Research are indicating that the Apple Lossless Audio Codec (ALAC), also known as Apple Lossless, currently has vulnerabilities that could potentially lead to an attacker getting remote access to an Android users media audio conversations.
The company reports that two of the largest mobile chipset manufacturers in the world, MediaTek and Qualcomm, use the ALAC audio coding within their widely distributed mobile handsets. The two companies have acknowledged the vulnerabilities, and have put in patches and fixes in response.
Apple Audio Codec and Android Vulnerabilities
It is important to note that Check Point Research has been in talks with MediaTek and Qualcomm. Check Point Research has informed all parties, and have been working in conjunction to fix the issue.
Check Point Research indicates that its researchers found issues that could be used by an attacker for a remote code execution attack (RCE). This can be done on a mobile device through a malformed audio file. RCE attacks find an attacker gaining remote access to execute malicious code on an electronic device. RCE vulnerability can range anywhere from malware execution to an attacker gaining control over a victim’s multimedia data. This can include streaming from the camera of a compromised machine.
The Apple Lossless Audio Codec, also known as Apple Lossless, is an audio coding format introduced by Apple in 2004. It is a means of lossless data compression in digital music.
Late 2011 saw Apple making the codec open source. This saw ALAC becoming embedded in numerous non-Apple audio playback devices and programs. This includes Android-based smartphones, as well as Linux and Windows media players and converters.
Making the Update
After making the codec public source, Apple has updated the proprietary version of the decoder several times. The company has applied fixes and patches for security issues, however, the shared code has not seen a patch since 2011, and this is where issues arise. Several third-party vendors use the basis of Apple’s code for their own ALAC implementations. Many of them do not maintain the external code.
Research shows that both Qualcomm and MediaTek ported the vulnerable ALAC code into their audio decoders. These decoders find themselves in more than half of all smartphones worldwide. The International Data Corporation states that as of Q4 2021, 48.1% of all Android phones sold in the U.S. have MediaTek components. On the other hand, Qualcomm holds 47% of the market.
The full technical details of this research will find release by Check Point Research during the CanSecWest conference. This conference goes from May 18 to the 20, 2022.
Releasing to open source is good. Updating only your internal code is bad, very bad.
Apple knows better than this and should get its a$$ in gear presto-quick to make sure that security issues in their contributed code are corrected