Bad ALAC: One codec to hack the whole world

Presented at CanSecWest 2022, May 19, 2022, 11:30 a.m. (60 minutes)

The Apple Lossless Audio Codec (ALAC) is an audio coding format developed by Apple Inc. in 2004 for lossless data compression of digital music. After initially keeping it proprietary, in late 2011 Apple made the codec open source. Since then, the ALAC format has been embedded in many non-Apple audio playback devices and programs, including Android-based smartphones, and Linux and Windows media players and converters. We have discovered serious vulnerabilities in the open source ALAC that many third-party vendors have inherited into their projects. Looking for a way to hack a mobile phone or a PC remotely? We know one way… We discovered that MediaTek and Qualcomm, the two largest mobile chipset makers, ported the vulnerable ALAC code into their audio decoders, which are used in more than half of all smartphones worldwide. We will show how the issues we found could be used by an attacker for RCE on a mobile device through a malformed audio file, or for LPE from an unprivileged Android app to access media data and user conversations.


  • Netanel Ben Simon - Microsoft
    Netanel Ben Simon is a Security Researcher at Microsoft and a former employee of Check Point Research. Netanel specializes in Windows exploitation (Userspace & Kernel) and development of custom fuzzers for bug hunting.
  • Slava Makkaveev - Check Point Research
    Slava Makkaveev is a Security Researcher at Check Point Research. Holds a PhD in Computer Science. Slava has found himself in the security field more than ten years ago and since that gained vast experience in reverse engineering and vulnerability research. Recently Slava has taken a particularly strong interest in mobile platforms and firmware security. Slava was a speaker at CanSecWest, DEF CON, REcon, HITB and others.


Similar Presentations: