AirPlay gap still exists in countless CarPlay cars

In April, they attracted a lot of attention: experts from the Israeli IT security company Oligo Security discovered massive attack surfaces in Apple's local streaming protocol AirPlay, which could be used to attack various devices—simply by being on the same Wi-Fi network. While Apple has been quick to resolve the issues in iOS, macOS, iPadOS, and its other operating systems (including HomePod software), manufacturers of AirPlay-enabled devices, from home entertainment systems to speakers, have been slow to patch.

Some products will probably never be patched. However, little attention has been paid to the fact that CarPlay, whose wireless protocol is also based on AirPlay, is also affected. Although Apple has also patched this, the software is (also) in the so-called head unit in cars—and there are still surprisingly few updates for this. This is described by Oligo security researchers Uri Katz, Avi Lumelsky, and Gal Elbaz in a paper published last week.

AirPlay gap is also in CarPlay

The methodology called “Pwn My Ride” is based on the stack overflow flaw with the CVE ID 2025-24132, which can be exploited when a device is connected to the car's multimedia system. If various older SDKs (AirPlay Audio before 2.7.1, AirPlay Video before 3.6.0.126, and CarPlay Communication Plug-in before R18.1) are running, – depending on the vehicle model – even zero-click attacks are possible without user interaction. It is possible to obtain root rights. This is possible both via WLAN and via Bluetooth—the latter must be active. It initially remained unclear whether attacks are also possible via cable, as there are many vehicles that do not support wireless CarPlay. The researchers concentrated on the wireless scenario.

Root access to the entertainment system is associated with various possibilities—from manipulating the system to tapping data and spying. The attacker must have dealt with the CarPlay implementation of the vehicle, but there are frequently used systems. With the AirPlay gap in loudspeakers, the Oligo security researchers showed, among other things, how they were able to play tricks on any screens that were present—the possibilities are broad. In a demonstration video, the researchers show how they could place a “hacked” image on the screen of the entertainment system after logging into the car's Wi-Fi hotspot. The car helps the attackers, as the Wi-Fi password is transmitted via the iAP2 protocol.

Patching in the workshop—if there is a patch

It is now up to the car manufacturers to solve the problem. Security researchers estimate that it could affect several million vehicles on the road that are still driving around unpatched. Moreover, firmware updates are often not possible over-the-air (OTA), but only via USB stick and/or only in the workshop. As the cycles often vary in length, this can take an eternity—if the manufacturer takes care of it at all.

“When a vulnerability is discovered in a widely used SDK like Apple's AirPlay, the challenge is not only to fix the bug, but also to ensure that any vendor that relies on the SDK actually implements the fix and passes it on to end users,” writes Oligo Security. This is particularly difficult with cars. “Unlike a smartphone or laptop, which is updated overnight, update cycles for vehicles are slow, fragmented, and often require a visit to the dealer or manual installation via USB.”

(bsc)