Mobile & Wearable |

AirPlay Flaws Leave Millions of Devices Open to Hackers A newly uncovered set of security vulnerabilities, dubbed “AirBorne,” threatens millions of devices using Apple’s AirPlay and CarPlay technologies. Discovered by cybersecurity firm Oligo, these flaws allow hackers on the same Wi-Fi network to hijack smart speakers, TVs, set-top boxes, and even car infotainment systems without needing a password. While Apple has patched its own devices, many third-party products remain exposed, posing risks to users in homes, cars, and public spaces.

A person uses AirPlay on their smartphone to control media playback while a woman in a hat and red-patterned shirt performs on stage on a TV screen displaying "Little Voice.

AirPlay, Apple’s wireless streaming protocol, lets users beam audio, video, and other content between devices like iPhones, Macs, and third-party smart TVs or speakers. CarPlay extends this connectivity to vehicles, linking iPhones to dashboards for navigation and media. According to Oligo’s report, the AirBorne vulnerabilities exploit AirPlay’s open-access design, which prioritizes seamless pairing over strict security controls. “AirPlay servers often expose commands without enough checks,” Oligo noted, allowing attackers to take over devices remotely.

Two specific flaws, CVE-2025-24252 and CVE-2025-24132, are particularly dangerous, enabling “wormable” zero-click exploits. This means hackers can run malicious code without user interaction, potentially spreading malware across a network. For example, a compromised smart speaker could infect other AirPlay-enabled devices, creating a chain reaction. Oligo demonstrated this by remotely displaying their logo on a Bose speaker, hinting at the potential for more sinister attacks, like espionage or ransomware.

AirPlay Hotels
Apple and LG team up to bring AirPlay to hotels later this year

CarPlay Risks and Real-World Limits

CarPlay systems, used in over 800 vehicle models, are also vulnerable, though exploiting them is harder. Hackers need to pair their device via Bluetooth or USB, requiring physical access or proximity to a car’s Wi-Fi hotspot with a weak password. If successful, attackers could manipulate media to distract drivers, track a vehicle’s location, or even eavesdrop on conversations through the car’s microphone. While these scenarios are less likely than home-based attacks, they raise concerns for rental car users or shared vehicles.

Public Wi-Fi networks—like those in cafes, airports, or hotels—amplify the danger. An attacker on the same network could target vulnerable devices, especially older third-party gadgets that rarely receive updates. However, the risk is lower for home users with secure Wi-Fi, as attackers need network access to exploit the flaws.

Apple’s Response and Lingering Concerns

Apple acted swiftly, releasing patches for its devices on March 31, 2025, with iOS 18.4, iPadOS 18.4, macOS Ventura 13.7.5, macOS Sonoma 14.7.5, macOS Sequoia 15.4, and visionOS 2.4. The company also updated the AirPlay audio and video SDKs and CarPlay Communication Plug-in. Oligo worked with Apple for months to address 23 vulnerabilities, resulting in 17 CVEs. However, Apple told WIRED that its devices were only at risk if users altered default AirPlay settings, such as enabling “Anyone on the same network” for the AirPlay Receiver.

The bigger issue lies with third-party devices. Oligo’s CTO, Gal Elbaz, estimates tens of millions of AirPlay-enabled gadgets—like smart TVs and speakers—may remain unpatched, as manufacturers often neglect updates for older products. “Many devices will take years to patch, or never be patched,” Elbaz told WIRED, highlighting the challenge of securing a sprawling ecosystem.

How Users Can Stay Safe

For Apple device owners, updating to the latest software is the first step. Users should also:

  • Disable AirPlay Receiver on Macs (Settings > AirPlay & Continuity > AirPlay Receiver) when not in use.
  • Set AirPlay permissions to “Current User” to limit access.
  • Avoid using AirPlay on public Wi-Fi networks.
  • Secure home Wi-Fi with strong passwords to block unauthorized access.

For third-party devices, check for firmware updates from manufacturers, though availability varies. Replacing outdated gadgets may be necessary for long-term security. In cars, using strong, unique passwords for Wi-Fi hotspots and avoiding unnecessary Bluetooth pairings can reduce CarPlay risks.

Why This Matters

The AirBorne flaws reveal a trade-off in AirPlay’s design: convenience comes at the cost of security. With over 2.35 billion active Apple devices and millions of third-party products, the scale of potential exposure is massive. While home networks with solid security are less vulnerable, public spaces remain a weak point. The persistence of unpatched third-party devices also underscores a broader issue in the smart device industry, where manufacturers often prioritize new sales over ongoing support.

For users, this is a wake-up call to prioritize updates and network security. A hacked speaker might seem trivial, but in the wrong hands, it could become a gateway to more serious breaches. Staying vigilant keeps your tech—and your privacy—safe.

Mickey
About the Author

Mickey is a passionate tech enthusiast and longtime Apple aficionado based in Los Angeles. With a keen eye for innovation, he’s been following the evolution of Apple’s products since the early days, from the sleek designs of the iPhone to the cutting-edge capabilities of the Vision Pro.

You May Also Like