Critical Exploit Unveiled at DefCon
During the recent DefCon security conference, researchers elucidated a significant exploit chain, enabling malicious actors to achieve root access on vehicle infotainment systems via Apple CarPlay.
This multi-faceted attack, dubbed “Pwn My Ride,” exploits a sequence of vulnerabilities inherent in the protocols governing wireless CarPlay, leading to remote code execution on the vehicle’s multimedia unit.
At the heart of this exploit is CVE-2025-24132, a grievous stack buffer overflow within the AirPlay protocol SDK. Scholars from Oligo Security detailed how this flaw can be activated once an intruder infiltrates the vehicle’s Wi-Fi network.
The vulnerability impacts a broad spectrum of devices utilizing AirPlay audio SDK versions prior to 2.7.1, AirPlay video SDK versions before 3.6.0.126, as well as specified versions of the CarPlay Communication Plug-in.
By capitalizing on this buffer overflow, an assailant can execute arbitrary code with elevated privileges, effectively commandeering the infotainment system.
Exploiting the iAP2 Protocol
The attack initiates by targeting the initial connection phase of wireless CarPlay, which hinges on two pivotal protocols: iAP2 (iPod Accessory Protocol) via Bluetooth and AirPlay via Wi-Fi.
Researchers uncovered a fundamental flaw in the iAP2 authentication process. Although the protocol mandates that the car authenticates the phone, it neglects reciprocal authentication, allowing the phone to remain unverified by the vehicle.
This unilateral authentication enables a hacker’s device to masquerade as a legitimate iPhone.
Subsequently, the intruder can pair with the vehicle’s Bluetooth—often without a PIN code due to the prevalence of the insecure “Just Works” pairing mode on many systems.
Once paired, the hacker exploits the iAP2 vulnerability by dispatching a RequestAccessoryWiFiConfigurationInformation command, effectively deceiving the system into disclosing the vehicle’s Wi-Fi SSID and password.
With the Wi-Fi credentials in hand, the attacker gains access to the vehicle’s network and activates CVE-2025-24132 to secure root access.
This entire process can be executed as a zero-click attack on numerous vehicles—placing no demands on driver interaction.
While Apple released a patch for the vulnerable AirPlay SDK in April 2025, researchers noted that, as of their last report, no automotive manufacturer had implemented the fix, according to Oligo Security.
In stark contrast to smartphones, which benefit from regular over-the-air (OTA) updates, vehicle software update cycles are notoriously protracted and fragmented.
Many automobiles necessitate manual updates at a dealership, with each automaker independently required to test and validate the patched SDK for their unique hardware configurations.
This considerable lag leaves millions of vehicles vulnerable to this exploit long after a remedy has been made available, underscoring a profound deficiency in the security framework of the automotive supply chain.
Source link: Cybersecuritynews.com.
