Apple CarPlay’s ‘AirBorne’ Vulnerabilities and What They Mean for the Automotive Industry

May 2, 2025
Peter Yang
Apple CarPlay’s ‘AirBorne’ Vulnerabilities and What They Mean for the Automotive Industry

Recent research from Oligo Security has uncovered a set of high-impact vulnerabilities in Apple’s AirPlay technology, collectively named “AirBorne.” While AirPlay is commonly associated with streaming between iPhone, iPad, and Mac devices, these security flaws reach further — into Apple CarPlay, a staple of modern in-vehicle infotainment (IVI) systems.

For the automotive industry, the implications are significant. CarPlay is integrated into more than 800 vehicle models, making these vulnerabilities a potential risk to both driver safety and vehicle cybersecurity. Understanding the scope of AirBorne is now essential for OEMs, Tier 1 suppliers, and security teams across the automotive ecosystem.

What are the AirBorne vulnerabilities?

The AirBorne vulnerabilities stem from critical flaws in Apple’s AirPlay protocol and its software development kit (SDK), which underpins CarPlay’s wireless connectivity in IVI systems. These vulnerabilities, namely CVE-2025-24252 and CVE-2025-24132, expose weaknesses in AirPlay’s data handling, enabling remote code execution (RCE).

Here’s a breakdown of the key vulnerabilities:

  • CVE-2025-24252: This use-after-free (UAF) vulnerability occurs when AirPlay’s memory management fails, attempting to access memory after it’s been deallocated. Attackers can exploit this to corrupt memory and inject malicious code. Paired with another flaw (e.g., CVE-2025-24206), it facilitates zero-click RCE, requiring no user input. This exploit can even become “wormable,” spreading across devices on the same Wi-Fi network.
  • CVE-2025-24132: This is a stack-based buffer overflow in the AirPlay SDK. It stems from inadequate input validation, allowing attackers to send oversized data that overflows the buffer and overwrites adjacent memory. This flaw enables zero-click RCE over Wi-Fi or one-click RCE via Bluetooth, depending on the connection.

These vulnerabilities exploit AirPlay’s communication over port 7000, which uses HTTP and RTSP (Real Time Streaming Protocol). Data is often exchanged in plist format (Apple’s property list structure), and poor parsing of this data — such as in CVE-2025-24129, a type-confusion bug — creates additional attack vectors. For instance, assuming unverified data is a dictionary can crash the system or execute code.

How could an AirBorne attack unfold in a CarPlay-enabled vehicle?

The following scenario illustrates how an attacker could exploit the AirBorne vulnerabilities to compromise a vehicle’s IVI system via Apple CarPlay:

  1. Initial access: The attacker joins the vehicle’s Wi-Fi hotspot, often enabled for wireless CarPlay. Weak or default passwords make this step straightforward.
  2. Exploit delivery: Over port 7000, the attacker sends a crafted HTTP request with a malicious plist payload. This triggers the buffer overflow (CVE-2025-24132), overwriting memory with executable code.
  3. Code execution: With control over the IVI system, the attacker can manipulate the display, play audio, or access the microphone — unnoticed by the driver.
  4. Persistence and spread: The attacker might install persistent malware, surviving beyond the Wi-Fi connection. If wormable, it could infect other vehicles or devices on the network.

This example underscores how seemingly minor data handling flaws can cascade into full system compromise, posing significant risks in connected vehicles.

What is the real-world impact of AirBorne?

If the AirBorne vulnerabilities are successfully exploited in a CarPlay-enabled vehicle, the consequences can go far beyond technical inconvenience. The risks touch directly on user safety, privacy, and trust:

  • Privacy invasion: An attacker could use the car’s microphone to listen in on conversations or tap into GPS data to track where the vehicle goes.
  • Driver distraction: Malicious control over the IVI system could lead to sudden audio playback, erratic onscreen visuals, or other unexpected behaviors. These disruptions pose a real danger, especially when they occur while the vehicle is in motion.
  • Broader system compromise: If the compromised IVI system is deeply integrated with other vehicle systems, it could be a stepping stone for attackers to perform more damaging attacks, depending on the system design and integration level.

For the automotive industry, this goes beyond a typical software bug. It’s a matter of safety and consumer trust. Drivers and passengers expect the connected features of vehicles to enhance their experience, not expose them to digital threats or surveillance through the vehicles’ IVI systems.

To understand the true risk of the AirBorne vulnerabilities, it helps to consider how they could play out in everyday situations:

  • Public charging stations or parking lots: While charging your electric vehicle (EV) at a public station, you step into a nearby convenience store or café for a quick snack — unaware that your CarPlay-enabled hotspot, which is hidden or invisible, remains active and discoverable. Nearby, an attacker connects to it and quietly injects malicious code. By the time you return, coffee in hand, your EV might already be compromised, silently logging your driving patterns or tracking your next destination. Days later, your screen might suddenly flash or your speakers might blare without warning, distracting you at a critical moment on the road.
  • Corporate garages and service centers: An attacker targets a fleet of company vehicles parked in a corporate garage, where drivers are resting or waiting for passengers or cargo — often with the vehicle still powered on and idle. Taking advantage of this downtime, the attacker deploys an automated attack script that silently connects to exposed wireless CarPlay networks. From there, the attacker can plant malware to log GPS locations or record in-cabin conversations, making it an ideal setup for corporate espionage. A similar risk exists in vehicle service centers. When a car is left for maintenance or repairs, it’s often connected to diagnostic tools or left unattended for extended periods. If the CarPlay hotspot remains active, an attacker could exploit this window to inject malicious code with minimal effort.
  • On the road: While stopped at a traffic light, an attacker in the vehicle beside yours takes advantage of close proximity to exploit a Bluetooth pairing vulnerability. Within seconds, they gain access to your IVI system, enabling them to activate the microphone and begin eavesdropping, all without your knowledge. The intrusion happens silently, leaving no visible signs of compromise as you continue your drive unaware.

These aren’t far-fetched scenarios — they’re credible risks in today’s connected vehicle landscape.

How can users and automotive stakeholders respond to AirBorne?

Vehicles equipped with Apple CarPlay may soon receive firmware updates from their manufacturers to address the AirBorne vulnerabilities. For vehicle users, applying these updates promptly is critical to ensuring that the IVI systems remain protected against known exploits.

In parallel, automotive OEMs and Tier 1 suppliers that have adopted an intrusion detection and prevention system (IDS/IPS), such as VicOne’s xCarbon, are better positioned to detect and mitigate these threats. xCarbon’s network IDS (NIDS) can monitor traffic over port 7000, the protocol channel targeted in AirBorne attacks, and flag suspicious activity in real time. Using xCarbon’s virtual patch feature, security teams can test and deploy targeted mitigations directly to IVI systems, providing immediate protection even before Apple releases an official fix. Attempts to drop malicious payloads or alter system files can be detected and blocked by xCarbon’s host IDS (HIDS), which offers robust file integrity monitoring.

The AirBorne vulnerabilities might represent only the initial foothold for attackers. In many cases, the ultimate objective is to escape the CarPlay environment and escalate access to broader IVI functionality. This mirrors previously documented risks involving containerized applications in software-defined vehicles (SDVs). VicOne’s xCarbon is designed to address these evolving threats. Its frictionless IDS/IPS architecture protects both containerized and virtualized workloads, helping ensure resilience across next-generation IVI and SDV platforms.

Why does AirBorne demand proactive automotive cybersecurity?

The AirBorne vulnerabilities show how even widely adopted and trusted technologies, such as Apple CarPlay, can introduce critical security risks in connected vehicles. In an environment where digital convenience meets physical safety, complacency is not an option.

For the automotive industry, proactive risk management is essential. Addressing these vulnerabilities early and deploying robust defenses helps preserve not just system integrity, but also the trust and safety of every driver and passenger. With greater visibility into threats like AirBorne and the right protective measures in place, IVI systems can remain an asset, not an attack surface.

Our News and Views

Gain Insights Into Automotive Cybersecurity

Visit Our Blog

Accelerate Your Automotive Cybersecurity Journey Today

Contact Us