Critical bug could have let hackers commandeer millions of Android devices

ByLois V. Aguirre

Apr 22, 2022 #3rd Wave Of Technology, #Active Mind Technology Steve Suda, #Adia Technology Limited, #Anxiety Caused By Technology, #Aum Technology Job Openings, #Best Books On Licensing Technology, #Best Us Companies Drivetrain Technology, #Boulder Creek Ca Technology Companies, #Bounce Box Technology, #Bridgerland Applied Technology College Cafeteria, #Cisco Technology News, #Comcast Comcast Technology Internship Program, #Complete Automated Technology, #Defence Technology News, #Definition Information Technology System, #Digital Technology, #Digital Technology Pdf, #Director, #Dxc Technology Malaysia Sdn Bhd, #Emerging Technology In Healthcare 2019, #Energy Efficient Home Technology, #Environmental Technology 2019, #Esl Information Technology Vocabulary, #Farming Technology Replacing People, #I.T. Information Technology, #Information Technology Residency Programs, #Issue With Holographic Counterfeiting Technology, #La Crosse Technology 9625 Manual, #La Crosse Technology C89201 Manual, #Lane Dedection Technology, #Long Quotes About Technology, #Micron Technology San Francisco, #Modern Steel Mill Technology, #Nc Lateral Entry Technology, #New Technology Replaces Wifi, #Russian Technology City, #Shenzhen Nearbyexpress Technology Development, #Stackoverflow Resume With Technology Interests, #State Agency For Technology, #Teacher Comfort With Technology Survey, #Technology Companies In Southwest Florida, #Technology Credit Union Address, #Technology In Mercedes Glc, #Technology Material Grant For College, #Technology Meibomian Lid, #Technology Production And Cost, #Treehouse Education Technology, #Western Technology Center Sayre Ok, #What Is Jet Intellagence Technology, #Why Women In Technology, #Will Technology Take Away Libraries

[ad_1]

Critical bug could have let hackers commandeer millions of Android devices

Getty Images

Security researchers said they uncovered a vulnerability that could have allowed hackers to commandeer millions of Android devices equipped with mobile chipsets made by Qualcomm and MediaTek.

The vulnerability resided in ALAC—short for Apple Lossless Audio Codec and also known as Apple Lossless—which is an audio format introduced by Apple in 2004 to deliver lossless audio over the Internet. While Apple has updated its proprietary version of the decoder to fix security vulnerabilities over the years, an open-source version used by Qualcomm and MediaTek had not been updated since 2011.

Together, Qualcomm and MediaTek supply mobile chipsets for an estimated 95 percent of US Android devices.

Remote bugging device

The buggy ALAC code contained an out-of-bounds vulnerability, meaning it retrieved data from outside the limits of allocated memory. Hackers could exploit this mistake to force the decoder to execute malicious code that otherwise would be off-limits.

“The ALAC issues our researchers found could be used by an attacker for remote code execution attack (RCE) on a mobile device through a malformed audio file,” security firm Check Point said on Thursday. “RCE attacks allow an attacker to remotely execute malicious code on a computer. The impact of an RCE vulnerability can range from malware execution to an attacker gaining control over a user’s multimedia data, including streaming from a compromised machine’s camera.”

Check Point cited a researcher who suggested that two-thirds of all smartphones sold in 2021 are vulnerable to the attack unless they’ve received a patch.

The ALAC vulnerability—tracked as CVE-2021-30351 by Qualcomm and CVE-2021-0674 and CVE-2021-0675 by MediaTek—can also be exploited by an unprivileged Android app to escalate its system privileges to media data and the device microphone, raising the specter of eavesdropping on nearby conversations and other ambient sound.

The two chipset manufacturers submitted patches last year to either Google or to device makers, which in turn delivered the patches to qualifying users in December. Android users who want to know if their device is patched can check the security patch level in the OS settings. If the patch level shows a date of December 2021 or later, the device is no longer vulnerable. But many handsets still don’t receive security patches on a regular basis, if at all, and those with a patch level prior to December 2021 remain susceptible.

The vulnerability calls into question the reliability of the open-source code that Qualcomm and MediaTek use and their methods for maintaining its security. If Apple can update its proprietary ALAC codebase over the years to fix vulnerabilities, it’s concerning that the two chipset behemoths haven’t followed suit. The vulnerability also raises the question of what other open-source code libraries used by the chipmakers might be similarly out of date.

In a statement, Qualcomm officials wrote:

Providing technologies that support robust security and privacy is a priority for Qualcomm Technologies. We commend the security researchers from Check Point Technologies for using industry-standard coordinated disclosure practices. Regarding the ALAC audio decoder issue they disclosed, Qualcomm Technologies made patches available to device makers in October 2021. We encourage end users to update their devices as security updates have become available.

MediaTek didn’t immediately respond to a message.

Check Point said that it will provide technical details of the vulnerability next month at the CanSecWest conference in Vancouver.

[ad_2]

Source link