• Cyber Syrup
  • Posts
  • Remote CarPlay Hack Exposes Risks of Vehicle Cybersecurity

Remote CarPlay Hack Exposes Risks of Vehicle Cybersecurity

Researchers at Oligo, a runtime application security firm, have revealed that vulnerabilities within AirPlay can extend to Apple CarPlay

September 11, 2025

In partnership with

CYBER SYRUP
Delivering the sweetest insights on cybersecurity.

Keep This Stock Ticker on Your Watchlist

They’re a private company, but Pacaso just reserved the Nasdaq ticker “$PCSO.”

No surprise the same firms that backed Uber, eBay, and Venmo already invested in Pacaso. What is unique is Pacaso is giving the same opportunity to everyday investors. And 10,000+ people have already joined them.

Created a former Zillow exec who sold his first venture for $120M, Pacaso brings co-ownership to the $1.3T vacation home industry.

They’ve generated $1B+ worth of luxury home transactions across 2,000+ owners. That’s good for more than $110M in gross profit since inception, including 41% YoY growth last year alone.

And you can join them today for just $2.90/share. But don’t wait too long. Invest in Pacaso before the opportunity ends September 18.

Paid advertisement for Pacaso’s Regulation A offering. Read the offering circular at invest.pacaso.com. Reserving a ticker symbol is not a guarantee that the company will go public. Listing on the NASDAQ is subject to approvals.

Remote CarPlay Hack Exposes Risks of Vehicle Cybersecurity

Apple’s AirPlay protocol is widely used across its product ecosystem and licensed to third-party vendors for TVs, audio systems, and streaming devices. However, researchers at Oligo, a runtime application security firm, have revealed that vulnerabilities within AirPlay can extend to Apple CarPlay, raising significant concerns for driver safety and data privacy.

These vulnerabilities, collectively referred to as AirBorne, could be exploited for multiple types of attacks, including remote code execution, man-in-the-middle interception, denial of service, and security bypasses.

The CVE-2025-24132 Vulnerability

One of the most critical flaws, CVE-2025-24132, enables attackers to launch zero-click, wormable exploits. In practice, this means a compromised device can be used as a launchpad for further attacks, spreading without user interaction. Apple patched this issue in April 2025, but adoption of the fix across the automotive industry has been slow.

Attack Scenarios Against CarPlay

Researchers demonstrated how attackers could exploit CarPlay in both wired and wireless scenarios:

  • USB Connection: Directly connecting to the CarPlay system can allow attackers to run malicious code.

  • Wi-Fi Exploits: Many vehicles rely on default Wi-Fi passwords, making them susceptible to unauthorized access.

  • Bluetooth Pairing: Attackers within range can impersonate legitimate devices using the iAP2 protocol, which only authenticates the car’s system but not the connecting device. In cases where “just works” pairing is enabled, no user interaction is needed.

Once paired, attackers can retrieve Wi-Fi credentials, connect to the car’s network, and leverage AirPlay vulnerabilities to achieve root-level remote code execution.

Potential Consequences

With full control, attackers could:

  • Distract drivers by taking over the screen, displaying images, or playing disruptive audio.

  • Eavesdrop on conversations happening inside the vehicle.

  • Track vehicle location through compromised systems.

Such actions pose risks not only to driver safety but also to personal privacy.

Patch Delays and Long-Term Risks

Although Apple has released fixes, Oligo warns that integration across automakers is fragmented. Each car manufacturer must adapt and test the patched SDK before deployment. While high-end vehicles with over-the-air (OTA) update systems may be patched quickly, others may take months—or remain unpatched indefinitely.

This creates a long-tail exposure problem, where millions of vehicles worldwide remain vulnerable long after an “official” fix has been issued.

Conclusion

The CarPlay vulnerability underscores the importance of strong cybersecurity in connected vehicles. As cars become more dependent on digital systems, automakers must prioritize patch management, secure authentication mechanisms, and collaboration with technology providers.

The research highlights how weaknesses in seemingly unrelated technologies, like AirPlay, can create serious risks when integrated into safety-critical systems such as automobiles.