At the recent DefCon security conference, researchers demonstrated a critical exploit chain that allows attackers to gain root access on vehicle infotainment systems by targeting Apple CarPlay.
The multi-stage attack, named “Pwn My Ride,” leverages a series of vulnerabilities in the protocols that underpin wireless CarPlay, culminating in remote code execution on the car’s multimedia unit.
The core of the exploit is CVE-2025-24132, a stack buffer overflow vulnerability within the AirPlay protocol SDK. Researchers from Oligo Security presented how this flaw can be triggered once an attacker gains access to the vehicle’s Wi-Fi network.
The vulnerability affects a wide range of devices that use AirPlay audio SDK versions before 2.7.1, AirPlay video SDK versions before 3.6.0.126, and specific versions of the CarPlay Communication Plug-in.
By exploiting this buffer overflow, an attacker can execute arbitrary code with the highest level of system privileges, effectively taking control of the infotainment system.
Exploiting the iAP2 Protocol
The attack begins by targeting the initial connection process of wireless CarPlay. This process relies on two key protocols: iAP2 (iPod Accessory Protocol) over Bluetooth and AirPlay over Wi-Fi.
The researchers discovered a fundamental authentication flaw within the iAP2 protocol. While the protocol ensures the car authenticates the phone, it fails to perform the reverse; the phone does not authenticate the car.
This one-way authentication allows an attacker’s device to impersonate a legitimate iPhone.
The attacker can then pair with the vehicle’s Bluetooth, often without a PIN code due to many systems defaulting to the insecure “Just Works” pairing mode.
Once paired, the attacker exploits the iAP2 flaw to send a RequestAccessoryWiFiConfigurationInformation command, which tricks the system into revealing the vehicle’s Wi-Fi SSID and password.
After obtaining the Wi-Fi credentials, the attacker connects to the car’s network and triggers CVE-2025-24132 to gain root access.
This entire sequence can be a zero-click attack on many vehicles, requiring no interaction from the driver.
Although Apple issued a patch for the vulnerable AirPlay SDK in April 2025, researchers noted that, to their knowledge, no car manufacturer has applied the fix, Oligo Security said.
Unlike smartphones, which receive frequent over-the-air (OTA) updates, vehicle software update cycles are notoriously slow and fragmented.
Many cars require a manual update at a dealership, and each automaker must independently test and validate the patched SDK for their specific hardware.
This significant delay leaves millions of vehicles exposed to this vulnerability long after a fix has been made available, highlighting a critical gap in the automotive supply chain’s security posture.
Find this Story Interesting! Follow us on Google News, LinkedIn, and X to Get More Instant Updates.
