CanSecWest 2022

The Apple Lossless Audio Codec (ALAC) is an audio coding format developed by Apple Inc. in 2004 for lossless data compression of digital music. After initially keeping it proprietary, in late 2011 Apple made the codec open source. Since then, the ALAC format has been embedded in many non-Apple audio playback devices and programs, including Android-based smartphones, and Linux and Windows media players and converters.

We have discovered serious vulnerabilities in the open source ALAC that many third-party vendors have inherited into their projects.

Looking for a way to hack a mobile phone or a PC remotely? We know one way…

We discovered that MediaTek and Qualcomm, the two largest mobile chipset makers, ported the vulnerable ALAC code into their audio decoders, which are used in more than half of all smartphones worldwide. We will show how the issues we found could be used by an attacker for RCE on a mobile device through a malformed audio file, or for LPE from an unprivileged Android app to access media data and user conversations.