Researchers exploit CarPlay app used on Apple devices to gain control of vehicle multimedia systems

Cybersecurity firm Oligo revealed in early 2025 that it had discovered potentially serious vulnerabilities in Apple's AirPlay wireless communication protocol for multimedia services and the accompanying SDK, noting that potential attackers could take control of devices remotely. One of the vulnerabilities, identified as CVE-2025-24132, allows attackers to create remote code execution exploits.

AirPlay is an application used on Apple devices, but licenses are also granted to other vendors who implement it on their own multimedia devices. Oligo researchers explained that attacks could also be launched against CarPlay applications from certain vendors via USB, Wi-Fi, or Bluetooth, without the need for interaction from the legitimate user.

The attack targets the iAP2 communication protocol, used by CarPlay to establish the wireless connection. The iAP2 protocol uses one-way authentication, in which the phone authenticates to the vehicle, but the vehicle does not authenticate to the phone. This means that an attacker with a Bluetooth radio and a compatible iAP2 client can impersonate an iPhone or similar device, obtain Wi-Fi credentials, and connect to the car's access point. From there, they can exploit the CVE-2025-24132 vulnerability in the AirPlay SDK to achieve remote code execution with root privileges.

Apple fixed the CVE-2025-24132 vulnerability at the end of April 2025, but only a few vendors have integrated the patch into their products. With this attack demonstration, Oligo explains that other Apple vendors using the AirPlay protocol need to take the necessary steps to fix the vulnerability.