Become a MacRumors Supporter for $50/year with no ads, ability to filter front page stories, and private forums.
Looks like quite a serious issue. Anyway happy to see that Apple has fixed the issue for its devices.
 
  • Like
Reactions: mganu
Is iOS 16 - the last major release for iPhone X and 8 for example - getting/already got a fix?
 
Looks like quite a serious issue. Anyway happy to see that Apple has fixed the issue for its devices.
Agree, the challenge is now to get people to patch their devices.
There is a good bunch of users out there with a similar mindset that anti-vaxxers has when it comes to patching devices.
 
Most of this stuff sounds cool in a lab, but isn’t real


For example…

“An attacker would need to be on the same Wi-Fi network as the intended victim”

So he has your Wi-Fi password or you’re doing AirPlay over public Wi-Fi?



“This attack vector would require the attacker to be directly in the car”.

If you have an attacker in your car, there’s a lot of attack vectors he can use that don’t involve CarPlay. I think you have bigger problems then your CarPlay being hacked.
Somebody always does that 'bigger problems' fallacy. You're assuming the attacks come from your wifi network or your car. People connect to wifi networks in hotels and at their workplaces, and people connect to rental cars and company cars. Just because you don't doesn't mean nobody does.
 
Somebody always does that 'bigger problems' fallacy. You're assuming the attacks come from your wifi network or your car. People connect to wifi networks in hotels and at their workplaces, and people connect to rental cars and company cars. Just because you don't doesn't mean nobody does.
Exactly. Depending on your carrier, your iPhone might even connect to their hot spots automatically by default (e.g. T-Mobile in Germany, see EAP-SIM). Sure, some hot spots isolate clients, but I wouldn't trust that to be the case 100 % of the time.

Some vulnerabilities are of rather theoretical nature because a set of very specific conditions have to be met. Being on the same wireless network is not a very high barrier.
 
Would be good to have a concrete way to find out if one is vulnerable or not. Exactly what version of OS software from Apple includes the patches?
 
Would be good to have a concrete way to find out if one is vulnerable or not. Exactly what version of OS software from Apple includes the patches?
Most of that info is in here and the CVE's that Apple do patch are official in the release notes that Apple priovides with the update.
Now, not all of the discovered flaws has CVE-IDs, but they do mention why in the document.
They also mention the CVE's in the document and what patch that fixes it.

"The Oligo Security research team reported 23 vulnerabilities to Apple. All of the flaws have ultimately been fixed, but not all of them received CVE-IDs. In some cases, Apple has grouped certain vulnerabilities into a single CVE based on their remediation method and time of resolution, rather than by vulnerability type, impact, or location in the AirPlay Protocol code."

 
That touchscreen shouldn’t be on guest Wi-Fi, but that scenario would not surprise me
So you agree then that you didn't understand the situation. Also, of course it is, as most people constantly have meetings with people from outside the office.
 
  • Like
Reactions: miguel cortez
I wouldn't work for or with any company that lacked the requisite governance and process management (and TAB/CAB) to lock that down. I know my company told everyone to kick rocks, only approved devices ever touch the network. And zero trust cleans up the rest. If your company gets hit by such low hanging fruit that's negligence and shareholders should sue
Lock that down how, never have a meeting with anyone? How do people from two companies meet and present, maybe in a shared space? I hope you see where it goes from there... AirPlay is constantly used everywhere on shared devices.
 
  • Like
Reactions: miguel cortez
Exactly. Depending on your carrier, your iPhone might even connect to their hot spots automatically by default
Being on the same wireless network is not a very high barrier.

But I don’t think that’s the only barrier?

Warning: By talking about germs and why infecting the human body is difficult, I am not condoning bad hygiene or licking doorknobs.

The public network would have to allow traffic on the AirPlay port, right? A quick search says that’s port 3689. Many (but not all!) “public” networks do in fact limit the types of traffic, and ports are one of the ways. Now, if AirPlay is a common use case for a particular public network, then so be it, it’s probably opened.

This is one of the reasons you (or at least I) haven’t seen shared resources on a “public” network since around 2010. It’s often port 80 or gtfo.

Related security/port story: For a CS project I was trying to use a set of ports (for reasons I can’t remember). They didn’t work, so in an attempt to trouble shoot I kept trying additional ports looking for one I could use. My network access was killed a split second later, and IT called me. That was 2007 :)

While your local hole in the wall coffee shop isn’t likely to have the sophistication of a school of 2000 kids in 2007, networks have had relatively hidden security features for decades. It’s not just “password or no password”.
 
So you agree then that you didn't understand the situation. Also, of course it is, as most people constantly have meetings with people from outside the office.

I don’t doubt it exists, but have you ever seen a corp out there with company resources on a public and open network?! Even my tiny neighborhood pub and the bakery have that on a separate network. If a client really needs to connect to business hardware, I’m sure a login/password can be provided…

Again, I don’t doubt it exists (8 billion humans and all), I’m just curious if anyone has ever seen it, and what kind of company it was!
 
Exactly. Depending on your carrier, your iPhone might even connect to their hot spots automatically by default (e.g. T-Mobile in Germany, see EAP-SIM). Sure, some hot spots isolate clients, but I wouldn't trust that to be the case 100 % of the time.

Some vulnerabilities are of rather theoretical nature because a set of very specific conditions have to be met. Being on the same wireless network is not a very high barrier.
Verizon automatically connects you to their WiFi. AT&T did the same when I was with them. Apple stores do it too.
I was recently looking at managed wireless networks I had unwittingly connected to so I turned off auto-join.

While the ease of joining a carrier approved or an Apple Store network may be convenient for some customers, IMO it is a security issue. At the very least, it's a breach of my trust in the eco system. ASK me if I want to join - don't hard code it into the OS. I should be able to decide who's network I trust :mad:
 
Would be good to have a concrete way to find out if one is vulnerable or not. Exactly what version of OS software from Apple includes the patches?
Simple answer: Anything below Ventura is fully vulnerable, with some patches looking like they only are being applied to Sequoia or maybe those only effect Sequoia.

Us older Mac users—we are brave and live on the real cutting edge. :cool:
 
For those with older vehicles, disabling Bluetooth in the car might be a good idea
 
I hope they deploy an update to my dear AirPort Express to patch this.
This would be useful information — the AirPort firmware has not been updated since 2019 (versions 7.8.1 and 7.9.1) — I have four 2nd-generation Expresses used only for Airplay 2 audio on a WiFi 7 mesh network. There’s also a Time Capsule connected via Ethernet that only functions as a storage device for Time Machine, but it’s accessible from the network. Are they vulnerable, in theory? It is not a public network, but still, I’m curious. Should Apple update this firmware?
 
Last edited:
If you have an attacker in your car, there’s a lot of attack vectors he can use that don’t involve CarPlay. I think you have bigger problems then your CarPlay being hacked.
From the sound of it, the vulnerability allowed an actual virus that can jump from device to device, so the author of the virus doesn't need to know the owner of the car, but can infect it anyway. Like the Blaster virus from Windows XP era, that forced Microsoft to completely re-think PC security.
 
  • Like
Reactions: bzgnyc2
Note that despite all of Sequoia's kabuki theatre to protect us, it was still vulnerable. This is why many of us argue that instead of protecting our computers from us, Apple should be focused on basics. I am not worried about evils maids. I am worried about attacks over the network. The standard for this for decades starts with minimizing the attack surface area.

For years, I've argued for two obvious changes:
1) Don't run daemons/services/etc that aren't enabled. Don't start them, don't wake them, don't run them. If I have it turned off, I don't want to see the process running. I don't want to see log entries for it. I want it off.
2) Apple's services shouldn't be exempt from the firewall by default. The opposite and then the software tested with everything blocked by default rather than giving built-in software a bypass.

I agree with you but this would wreck most user’s experience out of the box especially with regard to sync etc.

The amount of services now is ridiculous though, and even more so than there’s no good master list which Apple should provide so you can cross check and disable what you don’t need. Malware is out there that has similar names to Apple services and sometimes there is NO documentation for a given real Apple Service.

I have a windows machine debloated and with more than half of the default services disabled (I did this manually, service by service) and it is incredibly responsive now despite being years old.

The first recent Apple machine that felt as responsive to me is the M4 Max and it has 3-4x the single core performance so that checks out, but there’s a bunch of stuff running in the background I will never use.

Fighting the daemons is a pain in the ass on macOS.
 
From the sound of it, the vulnerability allowed an actual virus that can jump from device to device, so the author of the virus doesn't need to know the owner of the car, but can infect it anyway. Like the Blaster virus from Windows XP era, that forced Microsoft to completely re-think PC security.
I think this is people writing an article to make it sound scarier than it is. Scary things get clicks. It mentioned unpatched devices. Does this mean if I have a currently updated iPhone it’s not vulnerable? There are a lot of specifics that are unclear.
 
Agree, the challenge is now to get people to patch their devices.
There is a good bunch of users out there with a similar mindset that anti-vaxxers has when it comes to patching devices.
Except apple, quality-wise, has definitely introduced instability with patches. So it's not the same at all. People taking a wait-and-see approach are prudent, not nutjobs. A relatively minor patch to 18 broke physical security keys like yubikey. I wish I had not updated so quickly. It locked me out of iCloud and all my stuff. It's why I traded one of my 16 PMs in for an S25 Ultra. It's a huge self own on Apple's part, they're running fast and loose. How is this not a terrible analogy?
 
  • Like
Reactions: FriendlyMackle
Simple answer: Anything below Ventura is fully vulnerable, with some patches looking like they only are being applied to Sequoia or maybe those only effect Sequoia.

Us older Mac users—we are brave and live on the real cutting edge. :cool:

Can you tell if these vulnerabilities are only applicable to AirPlay Receiver or if there were other vulnerabilities related to AirPlay, etc? If the former, then only Monterey, the first version of macOS to include AirPlay Receiver, would be left vulnerable after the last round of patches/security updates.
 
I think this is people writing an article to make it sound scarier than it is. Scary things get clicks. It mentioned unpatched devices. Does this mean if I have a currently updated iPhone it’s not vulnerable? There are a lot of specifics that are unclear.

It means any Apple devices you own should be on an OS/firmware March 31, 2025 or later from this list:

Ditto for any 3rd-party devices that include AirPlay (which except for reverse engineered versions have to use Apple's SDK). So any Roku, LG, Samsung, etc TV should be on firmware that includes AirPlay video SDK 3.6.0.126 or later. Audio devices need to be updated to firmware that includes AirPlay audio SDK 2.7.1 or later. Any car with CarPlay should be on R18.1 or later. Good luck getting everyone in your family to keep up with that.

Then where this gets tricky is if an attacker uses one of these devices as a base to launch attach or more interesting devices. That is, maybe your TV is not an exciting target by itself (but maybe it has a camera and/or a microphone?) but if you connect to it from your phone, malware on the TV could attack your phone once connected.

In the boardroom example presented earlier, maybe your TV is not on a trusted network, but what happens if a presenter's computer infects the TV which then infects your executives' laptops the next time they connect to it?

To paraphrase, when you connect your computer to a network, you connect it to every computer that has ever connected to that network...
 
  • Haha
Reactions: FriendlyMackle
I agree with you but this would wreck most user’s experience out of the box especially with regard to sync etc.

I agree in an extreme it could make the user experience a little less seamless but in many cases it should unnoticeable. For example, I don't use iCloud/iCloud Drive. I'm not logged in to it and it is unchecked. No need for its related daemons to ever run not to mention remain running. If I turn iCloud on, by all means start those services. But until then leave them off. Only running services if and only if they are enabled would hardly be an Apple innovation -- standard in UNIX for decades before MacOS X. And I recall -- but don't have access to check -- earlier versions of MacOS X were much better about this.

The amount of services now is ridiculous though, and even more so than there’s no good master list which Apple should provide so you can cross check and disable what you don’t need. Malware is out there that has similar names to Apple services and sometimes there is NO documentation for a given real Apple Service.

I have a windows machine debloated and with more than half of the default services disabled (I did this manually, service by service) and it is incredibly responsive now despite being years old.

The first recent Apple machine that felt as responsive to me is the M4 Max and it has 3-4x the single core performance so that checks out, but there’s a bunch of stuff running in the background I will never use.

Fighting the daemons is a pain in the ass on macOS.

Agree completely. Unfortunately.
 
Last edited:
  • Like
Reactions: novagamer
It means any Apple devices you own should be on an OS/firmware March 31, 2025 or later from this list:

Ditto for any 3rd-party devices that include AirPlay (which except for reverse engineered versions have to use Apple's SDK). So any Roku, LG, Samsung, etc TV should be on firmware that includes AirPlay video SDK 3.6.0.126 or later. Audio devices need to be updated to firmware that includes AirPlay audio SDK 2.7.1 or later. Any car with CarPlay should be on R18.1 or later. Good luck getting everyone in your family to keep up with that.

Then where this gets tricky is if an attacker uses one of these devices as a base to launch attach or more interesting devices. That is, maybe your TV is not an exciting target by itself (but maybe it has a camera and/or a microphone?) but if you connect to it from your phone, malware on the TV could attack your phone once connected.

In the boardroom example presented earlier, maybe your TV is not on a trusted network, but what happens if a presenter's computer infects the TV which then infects your executives' laptops the next time they connect to it?

To paraphrase, when you connect your computer to a network, you connect it to every computer that has ever connected to that network...
It's not a realistic vector of attack to be honest. This article sells up on fear- mongering over what is, essentially a proof of concept for everything. Of the targets only the Mac would make for an interesting angle, and even then, you'd have to develop the payload since none exists. Good on them for hustling for the bounty though, I'm sure it's a good chunk of change.
 
Last edited:
  • Like
Reactions: Unregistered 4U
Register on MacRumors! This sidebar will go away, and you'll see fewer ads.