Millions on Android Devices Exposed by Unpatched Codec Flaw: Researchers

Safety flaws in an audio codec have been uncovered by safety researchers, placing hundreds of thousands of Android telephones and different Android gadgets powered by chipsets from MediaTek and Qualcomm vulnerable to being compromised by hackers. Stemming from an codec created by Apple a number of years in the past, the vulnerabilities had been left unpatched because the firm open-sourced the codec 11 years in the past, for inclusion on non-Apple gadgets. By leveraging the safety flaws, an attacker may remotely get entry to an Android telephone’s media and audio conversations, in response to the researchers.

In line with a report by researchers at Examine Level Analysis, a flaw within the Apple Lossless Audio Codec (ALAC) from Apple permits an attacker to carry out a distant code execution (RCE) assault on a goal smartphone, after sending a malformed audio file. An RCE assault can permit the attacker to achieve management of multimedia on the handset, together with streaming video from the cameras, accessing media and consumer conversations.

The safety flaws had been found in Apple’s ALAC codec, which was open-sourced by the corporate in 2011 — permitting non-Apple gadgets to stream music in ‘lossless’ quality utilizing Apple’s beforehand proprietary codec. Nevertheless, whereas Apple patched the proprietary model of the ALAC codec, the open-source model remained unpatched, in response to the researchers.

Because of this, Qualcomm and MediaTek, chipset producers who ported the susceptible ALAC codec to their audio decoders, leading to over two thirds of all smartphones bought in 2021 being susceptible to the safety flaws, dubbed “ALHACK”, in response to the researchers. The vulnerabilities had been responsibly disclosed to Qualcomm and MediaTek, who each acknowledged the problems and assigned Widespread Vulnerabilities and Exposures (CVE) for the failings. MediaTek assigned CVE-2021-0674 and CVE-2021-0675 (with ‘Medium’ and ‘Excessive’ rankings, respectively), whereas Qualcomm assigned CVE-2021-30351 (with a ‘Vital’ ranking of 9.8 out of 10) for the ALAC flaws, earlier than patching them.

In line with the researchers, each corporations have issued patches for the failings included within the December 2021 Android safety bulletin, which signifies that customers with smartphones that obtained the December safety patches ought to be secure from the vulnerabilities. Nevertheless, this leaves out hundreds of thousands of customers operating outdated software program, or customers who obtain erratic safety updates — placing them vulnerable to being compromised by attackers.