At the recent DefCon security conference, cybersecurity researchers unveiled a significant exploit chain targeting Apple CarPlay, the in-car infotainment system. This multi-stage attack, dubbed Pwn My Ride, enables attackers to gain root access to vehicle multimedia units by exploiting vulnerabilities in the protocols that support wireless CarPlay, ultimately leading to remote code execution.
Understanding the Exploit Chain
The foundation of this exploit is a stack buffer overflow vulnerability within the AirPlay protocol’s Software Development Kit (SDK), identified as CVE-2025-24132. Researchers from Oligo Security demonstrated that this flaw can be triggered once an attacker gains access to the vehicle’s Wi-Fi network.
The vulnerability affects a broad range of devices utilizing AirPlay audio SDK versions prior to 2.7.1, AirPlay video SDK versions before 3.6.0.126, and specific versions of the CarPlay Communication Plug-in. By exploiting this buffer overflow, an attacker can execute arbitrary code with the highest level of system privileges, effectively taking control of the infotainment system.
Exploiting the iAP2 Protocol
The attack initiates by targeting the initial connection process of wireless CarPlay, which relies on two key protocols: iAP2 (iPod Accessory Protocol) over Bluetooth and AirPlay over Wi-Fi. Researchers discovered a fundamental authentication flaw within the iAP2 protocol. While the protocol ensures that the car authenticates the phone, it fails to perform the reverse; the phone does not authenticate the car.
This one-way authentication allows an attacker’s device to impersonate a legitimate iPhone. The attacker can then pair with the vehicle’s Bluetooth, often without a PIN code due to many systems defaulting to the insecure Just Works pairing mode. Once paired, the attacker exploits the iAP2 flaw to send a `RequestAccessoryWiFiConfigurationInformation` command, tricking the system into revealing the vehicle’s Wi-Fi SSID and password.
After obtaining the Wi-Fi credentials, the attacker connects to the car’s network and triggers CVE-2025-24132 to gain root access. This entire sequence can be a zero-click attack on many vehicles, requiring no interaction from the driver.
Implications and Challenges in Mitigation
Although Apple issued a patch for the vulnerable AirPlay SDK in April 2025, researchers noted that, to their knowledge, no car manufacturer has applied the fix. Unlike smartphones, which receive frequent over-the-air (OTA) updates, vehicle software update cycles are notoriously slow and fragmented. Many cars require a manual update at a dealership, and each automaker must independently test and validate the patched SDK for their specific hardware. This significant delay leaves millions of vehicles exposed to this vulnerability long after a fix has been made available, highlighting a critical gap in the automotive supply chain’s security posture.
Recommendations for Users and Manufacturers
Given the severity of this vulnerability, it is imperative for vehicle owners and manufacturers to take immediate action:
– Vehicle Owners: Contact your vehicle manufacturer or dealership to inquire about available software updates for your infotainment system. Regularly check for updates and apply them promptly to mitigate potential risks.
– Manufacturers: Prioritize the integration and deployment of the patched AirPlay SDK across all affected models. Enhance the speed and efficiency of software update processes, considering the implementation of OTA updates to ensure timely delivery of critical security patches.
The Pwn My Ride exploit underscores the evolving landscape of automotive cybersecurity threats. As vehicles become increasingly connected, the need for robust security measures and prompt response to vulnerabilities becomes paramount to ensure the safety and privacy of users.
