AirPlay Security Flaws Impact Third-Party Devices and Unpatched Apple Products

[MacRumors]

Researchers at cybersecurity firm Oligo today outlined a series of AirPlay vulnerabilities that impact millions of Apple devices (via Wired) and accessories that connect to Apple devices. While Apple has addressed the flaws in security updates that have come out over the last several months, some third-party devices that support AirPlay remain vulnerable.

Dubbed "Airborne," the AirPlay vulnerabilities allowed attackers to take control of devices that support AirPlay to spread malware to other devices on any local device that the infected device connects to. An attacker would need to be on the same Wi-Fi network as the intended victim, putting public Wi-Fi spots, businesses, and other high-traffic areas at more risk.

Oligo researchers said that the AirPlay flaws could lead to "sophisticated attacks related to espionage, ransomware, supply-chain attacks, and more." The vulnerabilities could be used independently or chained together for a "variety of possible attack vectors," such as Remote Code Execution, user interaction bypass, Denial of Service attacks, Man-in-the-Middle attacks, and more.

Apple worked with Oligo to identify and fix the vulnerabilities. Oligo found 23 separate security flaws, and Apple issued 17 CVEs to address them. Information on each vulnerability is outlined on Oligo's website. Apple also deployed fixes for its AirPlay SDK for third-party manufacturers.

The same Airborne vulnerabilities also impact CarPlay, which could allow hackers to hijack the automotive computer in a car. This attack vector would require the attacker to be directly in the car and connected to either the car's Bluetooth or an in-car USB port, which makes it unlikely.

Oligo recommends that users upgrade to the latest versions of iOS, iPadOS, macOS, tvOS, and visionOS, to protect themselves from these vulnerabilities. Other devices that support AirPlay may still be vulnerable, so users should take steps like disabling the AirPlay Receiver feature on Macs and restricting AirPlay to the current user instead of all users.

Oligo CTO Gal Elbaz told Wired that there could be tens of millions of third-party AirPlay devices that are still vulnerable to attack. Because AirPlay is supported in such a wide variety of devices, there are a lot that will take years to patch--or they will never be patched," he said.

Article Link: AirPlay Security Flaws Impact Third-Party Devices and Unpatched Apple Products

 

[Artemiz]

I want the guy who came up with "Airborne" to be the head of branding dept at Apple.

Pro, Air, Ultra -- Not a fan!

 

[russell_314]

Most of this stuff sounds cool in a lab, but isn’t real


For example…

“An attacker would need to be on the same Wi-Fi network as the intended victim”

So he has your Wi-Fi password or you’re doing AirPlay over public Wi-Fi?



“This attack vector would require the attacker to be directly in the car”.

If you have an attacker in your car, there’s a lot of attack vectors he can use that don’t involve CarPlay. I think you have bigger problems then your CarPlay being hacked.

 

[HaHaRich!]

Most of this stuff sounds cool in a lab, but isn’t real


For example…

“An attacker would need to be on the same Wi-Fi network as the intended victim”

So he has your Wi-Fi password or you’re doing AirPlay over public Wi-Fi?



“This attack vector would require the attacker to be directly in the car”.

If you have an attacker in your car, there’s a lot of attack vectors he can use that don’t involve CarPlay. I think you have bigger problems then your CarPlay being hacked.

I don’t think you have to be “doing” AirPlay over public WiFi, but have an unpatched AirPlay compatible device on a WiFi network with the attacker.

As far as CarPlay, this could be a very big issue for rental car companies. I don’t know about you, but I take rental cars on family trips. Never occurred to me that Avis could infect my iPhone 🤔

 

[ajcadoo]

Apple can barely publish general code that’s bug free, how on earth can we trust them with secure code?

 

[Chungry]

I don’t think you have to be “doing” AirPlay over public WiFi, but have an unpatched AirPlay compatible device on a WiFi network with the attacker.

As far as CarPlay, this could be a very big issue for rental car companies. I don’t know about you, but I take rental cars on family trips. Never occurred to me that Avis could infect my iPhone 🤔

It can't "infect your phone" 🥴

 

[HaHaRich!]

It can't "infect your phone" 🥴

Did I misread it? The article describes the vulnerability as being able to execute and spread malicious code to unpatched systems. If that’s the case, how else does one define “infect”?

 

[KnowsHowItWorks]

Strong SNMP vibes.

 

[Macaholic868]

More great info here:

www.installsecurityupdates.com/computing101/

 

[Unregistered 4U]

Let’s see, what’s the perfectly reasonable and expected attack vector. There’s almost always one these days.

“An attacker would need to be on the same Wi-Fi network as the intended victim, putting public Wi-Fi spots, businesses, and other high-traffic areas at more risk.”

Yup, makes sense. Right up there with “If the attacker has physical access to your device…” or “After the user downloads and installs the code…” Good that it’s fixed, most certainly, but mitigated by not giving out your Wifi password to everyone. OR, if you find that your Wifi password made it on a list of compromised passwords, change it.

 

[russell_314]

I don’t think you have to be “doing” AirPlay over public WiFi, but have an unpatched AirPlay compatible device on a WiFi network with the attacker.

What would that device be though? I don’t think a whole lot of airplay devices are on public Wi-Fi networks. This would be like speakers or televisions. I don’t think many people connect their TV to Starbucks WiFi. Maybe I’m overlooking something obvious though.

As far as CarPlay, this could be a very big issue for rental car companies. I don’t know about you, but I take rental cars on family trips. Never occurred to me that Avis could infect my iPhone 🤔

That brings up an interesting question. Would the attacker have to be currently in the vehicle or just have been in the vehicle to do some damage? If he can leave some malware that would cause problems for the next person to connect their iPhone, that might be an issue. It does seem like a lot of work for a random attack though.

 

[vertsix]

I hope they deploy an update to my dear AirPort Express to patch this.

 

[Unregistered 4U]

Did I misread it? The article describes the vulnerability as being able to execute and spread malicious code to unpatched systems. If that’s the case, how else does one define “infect”?

Without a payload, the vulnerability is just a vulnerability. The security researcher, of course, wants to make the most of this time in the spotlight so they speculate that SOMEONE, SOMEWHERE could POTENTIALLY design a payload that could do all sorts of scary word things. But, as far as they know, no one has tried. Spreading might not even be practically possible depending on the specifics of the vulnerability. Tons of things can be done in a controlled lab where you control both the attacker and the attacked. A lot of that becomes impossible when you factor in real world situations.

 

[Unregistered 4U]

It does seem like a lot of work for a random attack though.

These are the thoughts security researchers never want you to have. Then, you may not be alarmed enough to forward their alerts to everyone you know!

 

[Chungry]

Did I misread it? The article describes the vulnerability as being able to execute and spread malicious code to unpatched systems. If that’s the case, how else does one define “infect”?

The article states a "wormable" condition is an option which would be easily carried out for MacOS. There is no suggestion it breaks sandboxing it's an annoying MiTM attack for rerouting or rogue casting. It can't infect a phone. Again, this all presupposes and unpatched device too. The phone attack footprint is pretty small. But it sounds scary. The worrying part is the Mac side

 

[russell_314]

These are the thoughts security researchers never want you to have. Then, you may not be alarmed enough to forward their alerts to everyone you know!

If I did that, I think most of my friends would block me…

“Geez it’s the nerdy guy messaging me about some security update for the 100th time. I’m perfectly happy on iOS 11”

 

[123]

Most of this stuff sounds cool in a lab, but isn’t real


For example…

“An attacker would need to be on the same Wi-Fi network as the intended victim”

So he has your Wi-Fi password or you’re doing AirPlay over public Wi-Fi?



“This attack vector would require the attacker to be directly in the car”.

If you have an attacker in your car, there’s a lot of attack vectors he can use that don’t involve CarPlay. I think you have bigger problems then your CarPlay being hacked.

Sounds like you've never worked in an actual company. Or rented a car. There are tons of shared AirPlay devices.

 

[123]

Maybe I’m overlooking something obvious though.

Yes you are. That big Samsung touch screen in the meeting room where everyone wo ever has a meeting connects, and which is reachable from the company's guest WiFi.

 

[russell_314]

Sounds like you've never worked in an actual company. Or rented a car. There are tons of shared AirPlay devices.

No, I’m like five years old and I’ve never worked in a company or rented a car. You found me out 😂

Yes you are. That big Samsung touch screen in the meeting room where everyone wo ever has a meeting connects, and which is reachable from the company's guest WiFi.

That touchscreen shouldn’t be on guest Wi-Fi, but that scenario would not surprise me

 

[Chungry]

Yes you are. That big Samsung touch screen in the meeting room where everyone wo ever has a meeting connects, and which is reachable from the company's guest WiFi.

I wouldn't work for or with any company that lacked the requisite governance and process management (and TAB/CAB) to lock that down. I know my company told everyone to kick rocks, only approved devices ever touch the network. And zero trust cleans up the rest. If your company gets hit by such low hanging fruit that's negligence and shareholders should sue

 

[bzgnyc2]

Note that despite all of Sequoia's kabuki theatre to protect us, it was still vulnerable. This is why many of us argue that instead of protecting our computers from us, Apple should be focused on basics. I am not worried about evils maids. I am worried about attacks over the network. The standard for this for decades starts with minimizing the attack surface area.

For years, I've argued for two obvious changes:
1) Don't run daemons/services/etc that aren't enabled. Don't start them, don't wake them, don't run them. If I have it turned off, I don't want to see the process running. I don't want to see log entries for it. I want it off.
2) Apple's services shouldn't be exempt from the firewall by default. The opposite and then the software tested with everything blocked by default rather than giving built-in software a bypass.

 

[flexwithmarius]

I wouldn't work for or with any company that lacked the requisite governance and process management (and TAB/CAB) to lock that down. I know my company told everyone to kick rocks, only approved devices ever touch the network. And zero trust cleans up the rest. If your company gets hit by such low hanging fruit that's negligence and shareholders should sue

Exactly, that type of equipment would be on an IoT/Media network and firewalled off from critical infrastructure.

 

[novagamer]

More great info here:

www.installsecurityupdates.com/computing101/

It is deeply ironic that this site itself is not secure, or at least doesn't support browsing via private relay.

Sounds like you've never worked in an actual company. Or rented a car. There are tons of shared AirPlay devices.

Yep. Double check your settings on every airplay device you have to make sure it only accepts local known connections.

Also, good practice to whitelist devices on your internal network whether at home or the office. WiFi is not as secure as people think it is, particularly older protocols.

The same Airborne vulnerabilities also impact CarPlay, which could allow hackers to hijack the automotive computer in a car.

"...hijack the automotive computer in a car" is not one of the proof of concept attacks, for good reason. Reference the specific CarPlay details instead.

If the attack vector let someone into the automotive computer in a modern car that is a huge flaw, I'm skeptical of that particularly with modern MISRA implementations etc.

edit: I read more on this and I don't believe you can get into the car's computer.

Macrumors should correct that specific speculation / phraseology, it's still a problem obviously but getting into the CAN bus is a massively different story vs. just hijacking your CarPlay experience. Like, life or death vs. annoyance.

I can see why the editor made that leap out of ignorance but it's irresponsible to posit as speculation without a POC or CVE. "Automotive computer' has a very specific meaning. Again, still bad though, but not crash your car bad.

 

[Westside guy]

“An attacker would need to be on the same Wi-Fi network as the intended victim”

So he has your Wi-Fi password or you’re doing AirPlay over public Wi-Fi?

This sort of setup is actually pretty common in conference rooms at universities. Probably at businesses too, but I'm less familiar with that.

 

[ikramerica]

Without a payload, the vulnerability is just a vulnerability. The security researcher, of course, wants to make the most of this time in the spotlight so they speculate that SOMEONE, SOMEWHERE could POTENTIALLY design a payload that could do all sorts of scary word things. But, as far as they know, no one has tried. Spreading might not even be practically possible depending on the specifics of the vulnerability. Tons of things can be done in a controlled lab where you control both the attacker and the attacked. A lot of that becomes impossible when you factor in real world situations.

My 8 yr old unpatched airplay onkyo receiver is unlikely to be able to execute any code not written for it. Who is going to bother with that attack vector? They would have to hack into my wifi first.