CarPlay vulnerability via AirPlay: BMW does not want to patch "Pwn My Ride"
Last autumn, vulnerabilities were discovered in the AirPlay implementation of various devices, including CarPlay. This will likely not change for some brands.
Apple CarPlay: Automakers see no need for a patch.
(Image: Apple)
No patch despite an expensive ride: BMW has apparently decided not to provide its customers with fixes for the so-called Pwn My Ride vulnerability for its car entertainment systems. The problem, discovered in spring 2025, is massive, affects Apple's streaming protocol AirPlay as well as CarPlay in vehicles, and can be used to take over entire devices. Apple had patched its hardware relatively quickly, but many manufacturers of consumer electronics with AirPlay and CarPlay capabilities either did not follow suit or took months. In September, it was reported that numerous automakers were still impacted. It was unclear at the time which brands would refrain from patching altogether. This is now slowly becoming clear.
BMW experts see “extremely low” risk
A Mac & i reader who owns a BMW i3s, which was taken over in February 2024, tried to get an answer from the manufacturer for many months. After little success with the workshop and customer service, he turned to BMW's complaint management. The result was sobering. BMW admitted that the vehicle was impacted by the underlying vulnerability (CVE-2025-24132). However, the company sees no danger.
Videos by heise
The leak was reviewed “shortly after its publication” by “our experts.” The following emerged: “The reported security vulnerability requires an attacker with a malicious device to actively establish a pairing with the vehicle's head unit via Bluetooth.” This pairing process required both direct initiation from the vehicle's pairing menu and PIN-based validation. “This multi-stage process ensures that unintentional or unauthorized pairing is practically impossible.” Considering these “strict prerequisites,” the “security risk for our customers is assessed as extremely low.”
“Clarity and security” without a patch
And since the exploitation of the security vulnerability was “assessed as extremely low by our security experts,” “no further software update is planned for your vehicle model.” He hopes that “this explanation provides clarity and security regarding the existing measures to protect customer safety,” the case handler continued. The Mac & i reader disagrees with the decision: “For my part, BMW's behavior does not contribute to customer loyalty.”
Indeed, BMW's decision is difficult to understand. To exploit the potential exploit – i.e., to take over the car entertainment system with potentially severe consequences – it is sufficient to have physical access to the vehicle (including the key). The pairing is not protected by a user password or in any other way, as is known from rental vehicles, which often have numerous Bluetooth profiles. BMW initially did not respond to an inquiry to the press office. “Pwn My Ride” involves root access to the entertainment system and all resulting possibilities, from manipulating the system and intercepting data to espionage. The company Oligo, which discovered the problem, published several quite impressive examples that also run over CarPlay.
Empfohlener redaktioneller Inhalt
Mit Ihrer Zustimmung wird hier ein externer Preisvergleich (heise Preisvergleich) geladen.
Ich bin damit einverstanden, dass mir externe Inhalte angezeigt werden. Damit können personenbezogene Daten an Drittplattformen (heise Preisvergleich) übermittelt werden. Mehr dazu in unserer Datenschutzerklärung.
(bsc)
