A new Check Point security research, dubbed ALHACK, reveals vulnerabilities in the ALAC format of the audio decoders of Qualcomm and MediaTek chips. The vulnerabilities could grant threat actors with remote access to media and audio conversations of affected devices.
The ALAC audio coding format is used by the two large mobile chipset manufacturers in their mobile handsets, and could put millions of Android users at risk of exposing their privacy, the report said. Furthermore, two thirds of all smartphones sold in 2021 are vulnerable. Fortunately, both manufacturers acknowledged the issues and released patches and fixes in response to the discovery.
The ALAC Format in Qualcomm and MediaTec Chipsets Vulnerable
First of all, what is the ALAC format? The format, also known as Apple Lossless, is an audio coding format developed by Apple Inc. It was first introduced in 2004 to serve the purposes of lossless data compression of digital music. It is noteworthy that Apple made it open-source in 2011, and since then, the format has been embedded in many non-Apple audio playback devices and programs, such as Android, Linux and Windows media players and converters.
“Since then Apple has been updating the proprietary version of the decoder several times, fixing and patching security issues, but the shared code has not been patched since 2011. Many third-party vendors use the Apple-supplied code as the basis for their own ALAC implementations, and it’s fair to assume that many of them do not maintain the external code,” Check Point noted.
It turns out that two of the largest mobile chip manufacturers in the world, Qualcomm and MediatEK, used the vulnerable ALAC code in their audio decoders. The latter are included in more than half of the smartphones sold worldwide. “According to IDC, 48.1% of all Android phones sold in the US are powered by MediaTek as of Q4 2021, while Qualcomm currently holds 47% of the market,” the researchers said.
The Vulnerabilities Could Allow Remote Code Execution
Check Point discovered that the vulnerabilities could be used in remote code execution (RCE) attacks on mobile devices using a malformed audio file. Furthermore, an unprivileged Android app could also use the weaknesses to escalate its privileges and obtain access to media data and user conversations.
The vulnerabilities were assigned CVE-2021-0674 and CVE-2021-0675 by MediaTek to the ALAC issues. “The vulnerabilities were already fixed and published in the December 2021 MediaTek Security Bulletin. Qualcomm released the patch for CVE-2021-30351 in the December 2021 Qualcomm Security Bulletin,” the report noted.
Here is a resume of the ALAC vulnerabilities:
- CVE-2021-0674 with a CVSS score of 5.5, affects MediaTek chipsets. A case of improper input validation in ALAC decoder could lead to information disclosure without the need of any user interaction.
- CVE-2021-0675 has a CVSS score of 7.8, and is also located in MediaTek. It has been described as a local privilege escalation issue in ALAC decoder originating from out-of-bounds write.
- CVE-2021-30351 has a CVSS score of 9.8, and affects Qualcomm. It is an out-of-bound memory access issue caused by improper validation of number of frames being passed during music playback.
In 2020, security researchers disclosed the so-called Achilles vulnerability in Qualcomm chipsets that affected Android devices. More specifically, Achilles is a collection of over 400 bugs in the embedded Qualcomm chipsets. The core of the issues was a disruption in the DSP processor functions that could lead to improper handling of the most important features of the Android device: process execution, charging and multimedia execution.