CarPlay or CarPrey? Hackers Find a Fast Lane Into Modern Vehicles

Introduction

In recent months, researchers from Oligo Security have uncovered a set of vulnerabilities dubbed AirBorne that impact Apple’s AirPlay protocol and, by extension, wireless CarPlay. While Apple has released patches, the reality is that many car manufacturers in the UK have not yet rolled those fixes into their infotainment systems. This leaves millions of vehicles potentially exposed to distraction, surveillance, and remote code execution — all without the driver clicking a thing.

The Vulnerabilities (AirBorne)

• CVE-2025-24132: A stack buffer overflow in Apple’s AirPlay SDK that allows zero-click remote code execution.
• CVE-2025-24252 & related bugs: Use-after-free flaws enabling code execution or privilege escalation.
• Attack surface: Wireless CarPlay connections, which use Bluetooth for initial pairing and WiFi (AirPlay) for data streams.
• Weak defaults: Many systems use “Just Works” Bluetooth pairing or default WiFi passwords, lowering the bar for attackers.

An attacker within range could hijack the infotainment system, push arbitrary audio/video content, eavesdrop through the microphone, or track driver location.

Campaign Flow – How an Attack Works

1. Proximity: The attacker comes within Bluetooth/WiFi range of a vulnerable car.
2. Initial foothold: Exploits weak pairing (“Just Works”) or default WiFi credentials to connect.
3. Exploit delivery: Crafts malicious traffic to trigger CVE-2025-24132 or related flaws in the AirPlay stack.
4. Payload execution: Gains remote code execution on the infotainment head unit.
5. Impact: Push distracting media, capture microphone data, or pivot into connected systems.

This flow mirrors traditional lateral movement in enterprise networks — but with the driver’s attention and safety at stake.

Who’s Affected in the UK?

Any car that supports wireless Apple CarPlay and hasn’t yet received the patched SDKs may be vulnerable. Examples include:

• BMW (newer models with iDrive 7+)
• Audi (A3, A4, and above with wireless CarPlay)
• Alfa Romeo (Tonale)
• Aston Martin (DB12, DBX)
• SEAT Leon (higher trims with wireless CarPlay)

Cars with only wired CarPlay or no CarPlay at all are significantly less exposed.

Mitigations

• Firmware updates: Check your car’s infotainment system for updates. Look for Apple AirPlay SDK versions: Audio SDK 2.7.1, Video SDK 3.6.0.126, CarPlay Plug-in R18.1.
• Disable wireless CarPlay if not needed.
• Strengthen pairing: Use PIN-based Bluetooth pairing where possible; disable discoverability.
• Change defaults: Update WiFi credentials from factory settings.
• Manufacturer pressure: Carmakers must accelerate integration of patched SDKs and push OTA updates.

Why Should We Care?

Infotainment systems are no longer isolated. They’re gateways into the driver’s environment, personal devices, and potentially connected car functions. The AirBorne vulnerabilities show how a weakness in consumer streaming protocols like AirPlay can create high-impact risks when embedded in vehicles.

For UK drivers, this isn’t a theoretical issue — many popular car models are already shipping with wireless CarPlay and, according to Oligo, no major manufacturer has yet confirmed rolling out patched versions. Until they do, attackers have a wide open lane.