A newly disclosed vulnerability—CVE-2025-24132—demonstrates how attackers can leverage Apple CarPlay’s wireless protocols to gain root privileges on in-car multimedia systems.
Presented at DefCon in the “Pwn My Ride” talk, this stack buffer overflow in the AirPlay SDK illustrates the critical risks facing connected vehicles and underscores the urgent need for coordinated patch deployment across the automotive industry.
| CVE | Description | Affected Components | Privileges Required | Attack Vector | CVSS Score |
|---|---|---|---|---|---|
| CVE-2025-24132 | Stack buffer overflow in the AirPlay protocol leading to RCE | AirPlay audio SDK <2.7.1; AirPlay video SDK <3.6.0.126; CarPlay Communication Plug-in <R18.1; R18.1 | None (zero-click) | Network (Wi-Fi) | 9.8 |
Understanding CarPlay Attack Surface
Apple CarPlay enables both wired and wireless connections to a vehicle’s infotainment system.
Wireless CarPlay relies on the iAP2 protocol over Bluetooth to negotiate Wi-Fi credentials, followed by AirPlay over Wi-Fi for screen mirroring.
The layered architecture comprises:
- iAP2 over Bluetooth: Handles pairing and credential exchange.
- AirPlay over Wi-Fi: Transmits audio/video streams.
An attacker can exploit the default “Just Works” Bluetooth pairing to impersonate an iPhone, request Wi-Fi credentials via iAP2, and then connect to the vehicle’s hotspot without user interaction.
The iAP2 protocol begins each packet with a magic value (0xFF5A), length, control byte, sequence and acknowledgement numbers, session ID (0=control, 1=data, 2=EA), and dual checksums for header and payload.
Authentication is one-way: while the device verifies the head unit’s certificate, the head unit never validates the client.
Attackers can always send a “success” response (0xAA05) regardless of signature validity, granting them full iAP2 session privileges.
Once connected, attackers issue the RequestAccessoryWiFiConfigurationInformation command (0x5702) to obtain the SSID and password.
With these credentials, they join the CarPlay Wi-Fi network and trigger the AirPlay buffer overflow.
Mitigation and Patching Challenges
Apple released patched SDK versions, yet few automakers have integrated the fix.
Unlike phones, vehicles follow slow, fragmented update cycles—often requiring dealership visits or manual installs.
Over-the-air updates exist for some models, but head-unit suppliers, middleware vendors, and OEM validation processes introduce delays.
High-end cars with robust OTA infrastructures may patch quickly, but mass-market vehicles can remain vulnerable for months or years.
Security teams face a long-tail exposure risk: even after an “official” fix, inconsistent adoption across the supply chain leaves millions of vehicles at risk.
Automotive cybersecurity demands proactive collaboration.
OEMs, Tier-1 suppliers, and software vendors must streamline patch integration, automate update pipelines, and validate head-unit security continuously.
For teams wrestling with complex patch deployments, our Oligo Security Research group offers deep expertise in automating SDK updates, validating cryptographic flows, and accelerating remediation cycles to reduce long-term exposure and ensure every CarPlay-enabled vehicle receives timely protection.
Find this Story Interesting! Follow us on Google News, LinkedIn and X to Get More Instant Updates
%20(1).webp?resize=1600,900&ssl=1&description=Wireless CarPlay relies on the iAP2 protocol over Bluetooth to negotiate Wi-Fi credentials, followed by AirPlay over Wi-Fi for screen mirroring.){kind=link}