Oligo Security unveiled a new set of vulnerabilities targeting Apple’s CarPlay system, revealing that millions of vehicles remain unpatched and vulnerable to remote code execution through a wireless attack chain.
The findings center on CVE-2025-24132, a stack buffer overflow in the AirPlay SDK, now shown to be exploitable in real-world automotive environments with minimal attacker effort.
The research, titled “Pwn My Ride”, builds on Oligo’s earlier “AirBorne” research, which exposed critical flaws in Apple’s AirPlay protocol.
CVE-2025-24132 affects multiple versions of Apple’s AirPlay SDK, specifically those released prior to AirPlay audio SDK 2.7.1 and AirPlay video SDK 3.6.0.126. The flaw allows an attacker to trigger a stack-based buffer overflow over a Wi-Fi connection, achieving remote code execution (RCE) with root-level privileges.
Oligo demonstrated that exploiting this vulnerability on vehicles equipped with wireless CarPlay is not only feasible but, in some cases, requires zero user interaction. The full attack chain begins with Bluetooth pairing, which is often poorly secured due to many vehicles defaulting to the “Just Works” mode, requiring no PIN or confirmation.
Once paired, the attacker initiates an iAP2 session, a proprietary Apple protocol used for communication between the iPhone and the vehicle’s infotainment unit. The session allows the attacker to request and obtain the car’s Wi-Fi credentials. With access to the CarPlay Wi-Fi network, the attacker can then exploit the AirPlay SDK flaw to execute arbitrary code on the head unit, effectively taking over the in-car system.
Oligo
Wireless CarPlay operates through a layered architecture: Bluetooth (iAP2) handles initial connection and Wi-Fi credential negotiation.) Wi-Fi (AirPlay) is used for screen mirroring and further data exchange.
iAP2’s design includes a critical flaw: asymmetric authentication. The head unit authenticates the phone, but not vice versa. This allows attackers to impersonate a phone, initiate the authentication handshake, and declare it successful, even without proper verification of the server’s certificate.
Once authenticated, attackers can send the RequestAccessoryWiFiConfigurationInformation (0x5702) command, prompting the head unit to respond with its Wi-Fi SSID and password, all without the user knowing.
Millions of cars impacted
Apple’s CarPlay is used by nearly every major automaker, integrated into the infotainment systems of millions of vehicles worldwide. The vulnerabilities affect third-party devices and vehicles using unpatched versions of the AirPlay SDK, specifically those embedded in multimedia systems.
Despite Apple releasing a fix for CVE-2025-24132 on April 29, 2025, Oligo notes that no major car manufacturer has applied the patch as of today. The reasons lie in the automotive industry’s fragmented and sluggish update pipeline. Unlike phones and laptops, vehicle software often requires dealership visits, USB-based updates, or relies on outdated over-the-air (OTA) mechanisms.
Vehicle owners are advised to apply the latest CarPlay and infotainment system firmware updates and enable the PIN option on Bluetooth pairing to strengthen protection against unauthorized pairings. If not needed, turn off wireless CarPlay.
Leave a Reply