Millions of AirPlay Devices Can Be Hacked Over Wi-Fi (9to5mac.com)
- Reference: 0177226983
- News link: https://it.slashdot.org/story/25/04/30/2115251/millions-of-airplay-devices-can-be-hacked-over-wi-fi
- Source link: https://9to5mac.com/2025/04/29/millions-of-airplay-devices-can-be-hacked-over-wi-fi-carplay-too/
> [2]Wired reports that a vulnerability in Apple's software development kit (SDK) means that tens of millions of those devices could be compromised by an attacker: "On Tuesday, researchers from the cybersecurity firm Oligo revealed what they're calling AirBorne, a collection of vulnerabilities affecting AirPlay, Apple's proprietary radio-based protocol for local wireless communication. Bugs in Apple's AirPlay software development kit (SDK) for third-party devices would allow hackers to hijack gadgets like speakers, receivers, set-top boxes, or smart TVs if they're on the same Wi-Fi network as the hacker's machine [...]
>
> Oligo's chief technology officer and cofounder, Gal Elbaz, estimates that potentially vulnerable third-party AirPlay-enabled devices number in the tens of millions. 'Because AirPlay is supported in such a wide variety of devices, there are a lot that will take years to patch -- or they will never be patched,' Elbaz says. 'And it's all because of vulnerabilities in one piece of software that affects everything.'"
>
> For consumers, an attacker would first need to gain access to your home Wi-Fi network. The risk of this depends on the security of your router: millions of wireless routers also have serious security flaws, but access would be limited to the range of your Wi-Fi. AirPlay devices on public networks, like those used everywhere from coffee shops to airports, would allow direct access. The researchers say the worst-case scenario would be an attacker gaining access to the microphones in an AirPlay device, such as those in smart speakers. However, they have not demonstrated this capability, meaning it remains theoretical for now.
[1] https://9to5mac.com/2025/04/29/millions-of-airplay-devices-can-be-hacked-over-wi-fi-carplay-too/
[2] https://www.wired.com/story/airborne-airplay-flaws/
Protocol (Score:1)
I will never get why Apple insists on creating their own protocols rather than using tried tested and true standards everyone else uses.
Re: (Score:1)
Probably so they can charge licensing fees. That said, it isn't like we haven't seen issues with libraries for other protocols (I recall example code for bluetooth with bad crypto being copied a lot) - the problem side is more that companies do annual upgrades to product lines and don't adequately support their devices.
Re: (Score:2)
Because Apple has long suffered from Not Invented Here syndrome. It didn't used to be that way - in the early days of Mac OS X they reached out to open source a lot more than they do today (KHTML, CUPS, etc.).
My guess is that they discovered that if you own the protocol, then you can also gatekeep who can talk that protocol, enabling more walled gardens and competition lockout.
Re: (Score:2)
AirPlay was first introduced in 2010 and was an expansion to AirTunes which was introduced in 2004. Miracast didn't come out until 2012. Google Cast, which is a proprietary protocol, didn't come out until 2013 and, as far as I know, Google now supports it instead of Miracast.
Wormable (Score:3)
TFS doesn't mention the worst part: it's wormable.
This could spread from speaker to iDevice and then ride to another wifi, spreading to speakers or TV's there. Repeat and fade.
Watch for port 7000 abuse. Low Level on YT has a good video with deets.
The Rust haters will need to skip it. :)
Quit Buying From Shit Companies, People. (Score:1)
It ain't religion so quit acting like you gonna go to hell for using a different brand.
Re: Quit Buying From Shit Companies, People. (Score:2)
Yeah. It couldnâ(TM)t possibly be that people use it because it generally works well and has been readily available for 15 years on products many people already have and enjoy. If you think security vulnerabilities are somehow unique to Apple, you should get a refund for your defective brain.
hahahahahahaha no (Score:2)
"access would be limited to the range of your Wi-Fi."
Guess how many miles that is with a cantenna on just one end.
Re: (Score:2)
Or someone walking into a hotel loaded with TVs. Or an apartment complex.
Re: (Score:2)
Just wait until someone exploits this to blast hard core porn all over the place. Or if they're more devious, use "AI" to make a fake video of Donald Trump in a fake EAS broadcast saying something truly terrifying. You know, like, "Nuclear missile is inbound to the west coast and we can't stop it. Seek shelter immediately." Or "I just raised tariffs globally another 300%!"
Re: hahahahahahaha no (Score:2)
In what apartment complex does everyone share the same open WiFi network?
Just secure your router. (Score:2)
Sounds like you just had to properly secure your router. Of course, there are lots and lots of people who won’t. But it is that simple and you should have been on top of that a long time ago. Like the day you turned on your router.
Re: Just secure your router. (Score:2)
Most AirPlay devices donâ(TM)t have authentication anyway, so hooking your streaming audio/video device like a Apple TV up to an open network is a pretty smooth-brained move anyway.
IoHT (Score:3)
= Internet of Hacked Things
Re: (Score:2)
> AirPlay devices on public networks, like those used everywhere from coffee shops to airports, would allow direct access.
So that means never connect your iPhone to a public WiFi if you're using AirPods or a smart watch. Imagine a stranger whispering strange things into your AirPods while you sit in a coffee shop. Creepy.
Re: IoHT (Score:2)
AirPlay != Bluetooth. Itâ(TM)s a protocol that runs on IP that lets users push video and/or audio to devices like TVs or speakers. You canâ(TM)t push audio and video to mobile devices, let alone arbitrary peripherals attached to them. It essentially works the way Bluetooth speakers and screen mirroring works, meaning the protocol has no authentication. It is intended for small home networks with standard consumer-level authentication. Connecting an Apple TV or HomePod to an open network, or not