Airplay-enabled devices open to attack via “AirBorne” vulnerabilities

Vulnerabilities in Apple’s AirPlay Protocol, AirPlay Software Development Kits (SDKs), and the CarPlay Communication Plug-in could allow attackers to compromise AirPlay-enabled devices developed and sold by Apple and by other companies.

“Because AirPlay is a fundamental piece of software for Apple devices (Mac, iPhone, iPad, AppleTV, etc.) as well as third-party devices that leverage the AirPlay SDK, this class of vulnerabilities could have far-reaching impacts,” Oligo Security researchers noted.

“AirBorne” vulnerabilities

These so-called “AirBorne” flaws could be used in a variety of attack scenarios, including:

• Employee devices that have been compromised while on a public wireless network could be used by attackers to compromise additional devices on their employer’s network (once the employee connects to their enterprise Wi-Fi) or for eavesdropping
• AirPlay-enabled devices could be compromised and used for eavesdropping on sensitive information
• CarPlay-enabled vehicles’ infotainment system (.e.g, stereo unit) could be, under specific circumstances, compromised and used to distract the driver, track the vehicle’s location, or used for eavesdropping on conversations

Some of the AirBorne vulnerabilities allow attackers to remotely execute malicious code, others to bypass roadblocks such as limited access or the need for the victim to perform an action. Some can be used to unearth sensitive about users and devices and extract credentials, and others to DoS devices and services.

During a board meeting where the CEO wants to AirPlay the meeting to the TV in the office, for example, attackers can use a DoS vulnerability to crash the TV’s AirPlay receiver, the researchers explained.

The attackers can then spoof the TV’s identity on the network and, when the CEO starts streaming to the fake AirPlay server, they can relay the CEO’s stream to the real TV, while capturing and recording the entire meeting’s content from the intercepted stream.

Still, in most cases, there are certain preconditions for a successful exploitation of the vulnerabilities. For example, AirPlay-enabled Macs and iPhones must have the AirPlay receiver on and set to a specific configuration (the default setting for the AirPlay receiver is “off”). Or, if the attacker wants to compromise a CarPlay device, they have to be paired to it via Bluetooth or a USB connection.

Advice for organizations and users

Oligo researchers have shared their findings with Apple and, since the start of the year, the company has been patching them in macOS, iOS/iPadOS, Vision Pro, watchOS, tvOS, AirPlay audio SDK, AirPlay video SDK, and CarPlay Communication Plug-in.

While they have demonstrated the exploitation of some of these flaws, they have refrained from sharing technical details or PoC exploits to prevent attackers leveraging them.

“For organizations, it is imperative that any corporate Apple devices and other machines that support AirPlay are updated immediately to the latest software versions. Security leaders also need to provide clear communication to their employees that all of their personal devices that support AirPlay need to also be updated immediately,” Oligo researchers advised.

If not in use, the AirPlay Receiver should be switched off, and companies should create firewall rules to limit AirPlay communication (Port 7000 on Apple devices) to only trusted devices, they added.

Unfortunately, while updating devices developed by Apple is easy, security updates for third-party devices using the AirPlay SDK may not be immediately available – and possibly never.

Subscribe to our breaking news e-mail alert to never miss out on the latest breaches, vulnerabilities and cybersecurity threats. Subscribe here!