Apple’s open source technology puts hundreds of millions of Android devices at risk of RCE
3 min readApple’s open source technology puts hundreds of millions of Android devices at risk of RCE
Apple’s open source technology puts hundreds of millions of Android devices at risk of RCE
Apple Lossless Audio Codec (ALAC for short) is a lossless audio codec technology launched by Apple in 2004. Apple open sourced the technology in 2011 under the Apache-2.0 protocol.
When it was not open source, ALAC was mainly used for Apple’s own iPod, iPhone, Mac and other devices. Now the open source ALAC has been used by many manufacturers on non-Apple devices .
Although Apple open-sourced ALAC, over the years Apple has only improved the proprietary version of the codec, and the open-source version has not been updated in the past 11 years. As we all know, long-term non-maintenance of a project is accompanied by risks.
Researchers at cybersecurity firm Check Point have discovered a critical vulnerability in the open-source ALAC that could allow attackers to conduct remote code execution (RCE) attacks on affected devices. MediaTek and Qualcomm, two major mobile chip makers, both use the code in their audio codecs.
According to a survey by a market research firm in Q4 2021, MediaTek and Qualcomm are currently the two mobile chip manufacturers with the first and second market shares, with a combined market share of more than 60%. Because of this, Check Point expects that two-thirds of Android phones sold in 2021 will be affected by this vulnerability (not counting older Android models).
According to IDC’s statistics on mobile phone shipments in 2021, the global mobile phone shipments in 2021 will be 1.35 billion units. After excluding Apple, there will still be 1.1 billion units. A rough calculation of the affected Android mobile phones will also exceed 700 million units ( Quantities in the figure below are in “millions”).
Check Point said the vulnerability, called ALHACK, puts the privacy of Android users at risk. These vulnerabilities can be triggered by specially crafted audio files, which can lead to remote code execution.
Check Point explained in a blog post:
The impact of RCE vulnerabilities ranges from malware execution to attackers gaining control over a user’s multimedia data. Additionally, an unprivileged Android app could exploit these vulnerabilities to elevate its privileges and gain access to media data and user sessions.
MediaTek and Qualcomm have released a patch in December 2021 to fix the vulnerability (Qualcomm rated the severity of the vulnerability at 9.8 out of 10).
According to MediaTek, the vulnerability affects dozens of MediaTek chips used in devices running Android versions 8.1, 9.0, 10.0 and 11.0.
Users who are familiar with Android know that Android version updates and security fixes are seriously fragmented. Google and chip manufacturers cannot directly push these updates.
The update of Android phones is usually the responsibility of each manufacturer, and in general, only Products from major manufacturers such as Google’s own Pixel and Samsung have only been updated in recent years.
But then again, Qualcomm and MediaTek, as the two largest mobile chip manufacturers in the market, can be said to be rich in talents and financial resources, but they do not contribute to the code they rely on, and it seems that they have not strictly reviewed the relevant code. security.
