Apple is indirectly responsible for a vulnerability affecting millions of Android smartphones. The security researchers at the checkpoints have already done that I discovered Vulnerability in an open source version of the ALAC Encryption Format, created by Apple in 2004 and available as an open source version Since 2011.
While Apple regularly updates the version of the ALAC format in its software and operating systems, open source code has not been fully traced. In fact, it hasn’t had a patch since… 2011. And this is a serious problem, as these libraries are found in many devices and apps on platforms other than Apple.
Qualcomm and MediaTek, two of the largest vendors of mobile chips for Android smartphones, are incorporating the open source version of ALAC into their audio decoders, which are used on more than half of phones worldwide. This is for devices running Android 8.1, 9.0, 10.0 and 11.0.
Checkpoint has determined that fraudsters can exploit a vulnerability in the open source ALAC to launch remote attacks on smartphones using a malicious audio file. Consequences range from installing malware to controlling device media data. It can go as far as listening to conversations.
Its discoverers have dubbed the vulnerability “ALHACK”. After upstream knowledge as the rule requires, Qualcomm and MediaTek published patches last December (CVE-2021-30351 in the first, CVE-2021-0674 and CVE-2021-0675 in the second), manufacturers should now stream as soon as possible. on their device if it hasn’t already. Checkpoint will provide full details of this vulnerability during the CanSecWest conference in May.
This story shows, however, that it is not enough to open the code to the community to ensure guaranteed security. If no one has done the task of updating it, then after a while, the weaknesses that were there appear in everyone who uses it.
“Hardcore beer fanatic. Falls down a lot. Professional coffee fan. Music ninja.”