AirPlay Has a Serious Security Flaw, But Should You Be Worried?
Credit: iDB
Toggle Dark Mode
A new security flaw has been discovered in Apple’s AirPlay protocol that could help hackers spread malware on your home network, but it may not be as severe as it sounds.
The flaw itself is definitely a serious one. According to Wired, researchers have discovered a collection of vulnerabilities in the AirPlay protocols that could allow virtually any AirPlay-enabled device to be hacked via Wi-Fi. However, a few things need to line up for your devices to fall prey to this — even if hackers are targeting them.
According to the report, the flaw was discovered by researchers from the cybersecurity firm Oligo, who have dubbed it AirBorne. It specifically results from bugs in the AirPlay software development kit (SDK) that could let hackers “hijack gadgets like speakers, receivers, set-top boxes, or smart TVs.” However, before you panic, it’s important to note that there are a few catches that can make this more difficult to exploit.
How It Works (and How to Protect Yourself)
Firstly, the hacker would have to be on the same Wi-Fi network as your AirPlay devices. Since AirPlay only works over Wi-Fi and not cellular or Bluetooth, they’d need to have access to your home network. As a rule, if a hacker is already inside your firewall, you have bigger things to worry about than your AirPlay devices.
Secondly, this problem seems to only affect third-party AirPlay-enabled devices. While these vulnerabilities did exist on devices like the HomePod and Apple TV, those were patched by Apple in software updates months ago (another reason why it’s essential to always keep the software up to date across all your devices). Apple also told Wired that these bugs were only exploitable if users changed their AirPlay settings from the defaults. This means that out-of-the-box Apple devices were never vulnerable.
Still, there are lots of third-party devices out there that support AirPlay. Oligo’s chief technology officer and co-founder, Gal Elbaz, estimates there could be tens of millions of potentially vulnerable devices out there. “Because AirPlay is supported in such a wide variety of devices, there are a lot that will take years to patch—or they will never be patched,” Elbaz told Wired. “And it’s all because of vulnerabilities in one piece of software that affects everything.”
The other important thing to remember is that this only affects AirPlay receivers — devices you can stream music or video to. It doesn’t impact the iPhone, iPad, or Mac as these are AirPlay transmitters (the Mac has an AirPlay receiving mode, but this isn’t enabled by default, and any flaws that may have existed in that have long since been patched).
While Oligo notes that devices could be more vulnerable on public Wi-Fi networks, we don’t imagine too many people are hooking up AirPlay speakers in coffee shops and airports. These tend to be mostly home devices, although we could see a few scenarios where they might be used on semi-public networks, like those on school campuses and offices.
A hacker who gains remote control of your PC or Mac, either directly or via malware, could potentially exploit this AirPlay vulnerability on other devices on your home network. However, hackers with sufficient access to your PC can steal information and wreak enough havoc. Breaking into your HomePod is kind of pointless at that point.
There’s almost no sensitive information stored on most AirPlay devices like TVs and speakers, so any attacks by hackers would likely be to create botnets or install spyware — some of which could easily do things like listen in on conversations using built-in microphones. However, with so many different platforms involved, these attacks would have to be designed to target specific devices. Malware written for an LG TV wouldn’t be able to run on a Bose speaker or even a Samsung TV, as they all use entirely different operating systems.
The AirBorne vulnerabilities also affect CarPlay, but they’re much more difficult to exploit. Theoretically, a hacker could hijack the car’s head unit, but only after pairing their device with your vehicle via Bluetooth or by plugging into the USB port. As with getting into your home network, once they have that level of access, your infotainment system is irrelevant.
Notably, Apple released a set of SDK patches on March 31 that appear to be designed to address these vulnerabilities in third-party devices. However, manufacturers need to adopt these patches into their own firmware updates and then deploy them to affected speakers and TVs.
The bottom line is that protecting yourself against these attacks isn’t too hard. Start by ensuring all of your Apple devices are running the latest software updates—especially AirPlay receivers like HomePods and Apple TVs. Check for updates for any third-party AirPlay devices. If you have any doubts about the security of your Wi-Fi network, change your password and ensure that you’re using a strong encryption protocol like WPA2 or WPA3.
