Home Google Millions on Android Devices Exposed by Unpatched Codec Flaw: Researchers

Millions on Android Devices Exposed by Unpatched Codec Flaw: Researchers

0
Millions on Android Devices Exposed by Unpatched Codec Flaw: Researchers

Security flaws in an audio codec have been uncovered by safety researchers, placing hundreds of thousands of Android telephones and different Android gadgets powered by chipsets from MediaTek and Qualcomm susceptible to being compromised by hackers. Stemming from an codec created by Apple a number of years in the past, the vulnerabilities have been left unpatched because the firm open-sourced the codec 11 years in the past, for inclusion on non-Apple gadgets. By leveraging the safety flaws, an attacker might remotely get entry to an Android telephone’s media and audio conversations, in keeping with the researchers.

According to a report by researchers at Check Point Research, a flaw within the Apple Lossless Audio Codec (ALAC) from Apple permits an attacker to carry out a distant code execution (RCE) assault on a goal smartphone, after sending a malformed audio file. An RCE assault can permit the attacker to realize management of multimedia on the handset, together with streaming video from the cameras, accessing media and consumer conversations.

The safety flaws have been found in Apple’s ALAC codec, which was open-sourced by the corporate in 2011 — permitting non-Apple gadgets to stream music in ‘lossless’ high quality utilizing Apple’s beforehand proprietary codec. However, whereas Apple patched the proprietary model of the ALAC codec, the open-source model remained unpatched, in keeping with the researchers.

As a consequence, Qualcomm and MediaTek, chipset producers who ported the weak ALAC codec to their audio decoders, leading to over two thirds of all smartphones bought in 2021 being weak to the safety flaws, dubbed “ALHACK”, in keeping with the researchers. The vulnerabilities have been responsibly disclosed to Qualcomm and MediaTek, who each acknowledged the problems and assigned Common Vulnerabilities and Exposures (CVE) for the issues. MediaTek assigned CVE-2021-0674 and CVE-2021-0675 (with ‘Medium’ and ‘High’ rankings, respectively), whereas Qualcomm assigned CVE-2021-30351 (with a ‘Critical’ score of 9.8 out of 10) for the ALAC flaws, earlier than patching them.

According to the researchers, each corporations have issued patches for the issues included within the December 2021 Android safety bulletin, which signifies that customers with smartphones that acquired the December safety patches must be protected from the vulnerabilities. However, this leaves out hundreds of thousands of customers working outdated software program, or customers who obtain erratic safety updates — placing them susceptible to being compromised by attackers.


Affiliate hyperlinks could also be mechanically generated – see our ethics assertion for particulars.

#Millions #Android #Devices #Exposed #Unpatched #Codec #Flaw #Researchers