Hackers Expose Critical Apple CarPlay Flaw at DefCon
At this year’s DefCon security conference, researchers showcased a major security flaw in Apple’s CarPlay system. The demonstration, titled “Pwn My Ride,” revealed how an attacker could take control of a vehicle’s infotainment system without any action from the driver, a true zero-click exploit.
The attack leverages a vulnerability in the wireless version of CarPlay, allowing malicious code to be executed and granting hackers full system access. This places millions of vehicles at potential risk.
The Flaw at the Core of the Issue
The central vulnerability, identified as CVE-2025-24132, is a stack buffer overflow found in the AirPlay Software Development Kit (SDK), which is the same technology used for wirelessly mirroring iPhone screens.
The vulnerability can be triggered once an attacker gains access to the vehicle’s Wi-Fi network. It allows them to execute malicious code with root privileges, the highest level of system access, effectively giving them complete command of the car’s multimedia system.
The issue affects:
- AirPlay Audio SDK versions older than 2.7.1
- AirPlay Video SDK versions older than 3.6.0.126
- CarPlay Communication Plug-in versions before R18.1
How the Attack Unfolds
Security researchers from Oligo Security explained that the attack chain starts with a Bluetooth pairing, as many cars still use an insecure “Just Works” pairing mode, which doesn’t require a PIN.
After pairing, the hacker exploits a flaw in the iAP2 protocol, the communication link between CarPlay and the iPhone. This protocol only authenticates the car to the phone, not the other way around. This design flaw allows a hacker’s device to impersonate an iPhone, tricking the vehicle into revealing its Wi-Fi password.
Once the attacker is on the car’s Wi-Fi network, they can trigger the AirPlay vulnerability to seize control of the infotainment system. On many cars, this takeover requires no driver interaction and happens entirely in the background.
Patches Exist, but Automakers Lag Behind
While Apple issued a fix for the AirPlay vulnerability in April 2025, a major problem remains: very few car manufacturers have implemented the update. Unlike phones or laptops that get rapid over-the-air (OTA) updates, car software updates are notoriously slow.
Automakers must adapt Apple’s patch, test it on their specific hardware, and validate it across different suppliers, a process that can take months or even years. This leaves a significant “long tail of exposure,” where many vehicles remain vulnerable long after a solution has been made available.
Why This Matters
Although this vulnerability doesn’t give hackers control over the vehicle’s steering or brakes, it still poses serious risks. An attacker could:
- Eavesdrop on conversations by accessing the car’s microphone.
- Track the vehicle’s location using its GPS.
- Install persistent malware on the infotainment system.
- Use the car’s system as a foothold to access other parts of the vehicle’s network.
Security experts caution that drivers cannot fix this issue on their own. It is the responsibility of car manufacturers and their suppliers to deploy Apple’s patched SDK to their vehicles. Until then, drivers using a wired CarPlay connection are safe, as this attack requires a wireless link. This incident highlights the growing security risks in connected vehicles and the slow, fragmented process of getting necessary patches to drivers
