Researchers have disclosed details of a remote CarPlay hack that can allow attackers to spy on drivers or distract them.
Runtime application security firm Oligo earlier this year revealed that its researchers had discovered potentially serious vulnerabilities in Apple’s AirPlay wireless communication protocol and the accompanying SDK, warning that they could allow hackers to remotely take over devices.
AirPlay is used by Apple products, but the tech giant has also licensed its use to other vendors, which have implemented it in TVs, audio systems, and streaming devices.
Oligo noted at the time that the vulnerabilities, collectively tracked as AirBorne, could be exploited for remote code execution, security bypass, information disclosure, DoS attacks, and MitM attacks.
One of the flaws, tracked as CVE-2025-24132, allows attackers to create wormable zero-click remote code execution exploits that enable them to use compromised devices as a launchpad for additional attacks.
Oligo mentioned at the time that an attack could also be launched against CarPlay systems, without any user interaction. The company has now shared additional details on CarPlay — specifically Apple CarPlay — attacks.
The cybersecurity firm explained that an attacker could conduct wired attacks by connecting to the targeted CarPlay system via USB. However, wireless attacks are also possible, including over Wi-Fi, which leverages the fact that many vendors use default Wi-Fi passwords.
Wireless attacks can also be conducted over Bluetooth. The attacker can pair with the targeted CarPlay system over Bluetooth as long as they are in range. If PIN pairing is enabled, the attacker will likely see the required 4-digit PIN on the screen of the car’s infotainment system. In some cases so-called ‘just works’ pairing is enabled, which allows the attacker to easily connect to the system without any user interaction.
The attack targets the iAP2 protocol used by CarPlay to establish a wireless connection. iAP2 uses one-way authentication, where the phone authenticates the vehicle’s head unit, but the head unit doesn’t authenticate the phone.
“Put plainly, the car checks that it’s talking to a legitimate device, but the device will accept any client that speaks iAP2. That means an attacker with a Bluetooth radio and a compatible iAP2 client can impersonate an iPhone, request the Wi-Fi credentials, trigger app launches and issue any iAP2 command,” Oligo explained.
Once the hacker has completed the Bluetooth pairing process, they can authenticate via iAP2, obtain WiFi credentials, and connect to the car hotspot. From there they can exploit the previously mentioned AirPlay SDK vulnerability (CVE-2025-24132) to achieve remote code execution with root privileges.
The attacker can then take over the screen and display images or play audio to distract the driver. The attacker could also eavesdrop on conversations or track the vehicle’s location.
Apple patched CVE-2025-24132 in late April, but only a few vendors have integrated the patch into their products and Oligo is not aware of any car manufacturer applying the patch, which is why it has not made public full technical details.
“Even after Apple released a patched SDK, each automaker must adapt, test, and validate it for their own systems – coordinating across head-unit suppliers, internal software teams, and sometimes middleware providers. Each step introduces potential delays and requires robust collaboration,” Oligo explained.
“The result is a long tail of exposure,” it added. “While high-end models with robust OTA pipelines may be patched quickly, many others take months, years, or never receive the update at all. That leaves millions of vehicles potentially exposed – long after an ‘official’ fix exists.”
Related: Jaguar Land Rover Admits Data Breach Caused by Recent Cyberattack
Related: Free Wi-Fi Leaves Buses Vulnerable to Remote Hacking
Related: Flaws in Major Automaker’s Dealership Systems Allowed Car Hacking, Personal Data Theft
