Pwn My Ride: AirPlay flaw in Apple CarPlay affects millions of vehicles
At DEF CON, researchers from Israeli firm Oligo Security presented “Pwn My Ride,” a detailed analysis showing how vulnerabilities in the AirPlay protocol can be abused to compromise Apple CarPlay-enabled infotainment systems. The team demonstrated attack chains that enable remote code execution and full control of vehicle infotainment, potentially affecting millions of cars that support wireless CarPlay.
Key details
- Vulnerability: A critical AirPlay buffer overflow allowing remote code execution (reported as CVE-2025-24132 in related coverage).
- Scope: Oligo and reporting indicate the issue may impact hundreds of vehicle models—coverage cited ~800 CarPlay-capable models—and potentially millions of vehicles due to CarPlay’s wide adoption.
- Attack vector: Exploits AirPlay used by wireless CarPlay (over Wi‑Fi/Bluetooth). Attackers can target weak/default vehicle hotspot credentials or Bluetooth pairing, often requiring no user interaction in demonstrated chains.
- Potential impact: Control or manipulation of displays, audio, microphones; distraction or surveillance of occupants; installation of persistent malware on infotainment systems and lateral movement to other vehicle networks.
Vendor response and patches
Apple has released patches addressing AirPlay issues on iPhones and related devices. However, in-vehicle systems depend on automakers and suppliers to deliver firmware updates for infotainment units; those updates are often delayed or inconsistently applied. Oligo’s research recommends urgent remediation from OEMs and Tier‑1 suppliers.
Mitigations for drivers
- Install updates for your phone and for your vehicle’s infotainment system whenever available.
- Disable wireless CarPlay and AirPlay in the vehicle settings if you don’t need them; use wired CarPlay where possible.
- Avoid using public Wi‑Fi hotspots or unknown Bluetooth connections with your car’s infotainment system.
- Monitor official vendor advisories for firmware updates from your car manufacturer or supplier.
Sources and further reading
- Oligo Security — Pwn My Ride: Exploring the CarPlay attack surface
- Heise — AirPlay gap still exists in countless CarPlay cars
- SecurityWeek — Remote CarPlay hack puts drivers at risk
If you own a CarPlay-capable vehicle, treat wireless CarPlay/AirPlay as an attack surface: keep systems updated and consider disabling wireless features until vendors provide fixes.