Got a tip for us?
Let us know
Become a MacRumors Supporter for $50/year with no ads, ability to filter front page stories, and private forums.
AirPlay Security Flaws Impact Third-Party Devices and Unpatched Apple Products
- Thread starter MacRumors
- Start date
- Sort by reaction score
Agree, the challenge is now to get people to patch their devices.
There is a good bunch of users out there with a similar mindset that anti-vaxxers has when it comes to patching devices.
Somebody always does that 'bigger problems' fallacy. You're assuming the attacks come from your wifi network or your car. People connect to wifi networks in hotels and at their workplaces, and people connect to rental cars and company cars. Just because you don't doesn't mean nobody does.
Exactly. Depending on your carrier, your iPhone might even connect to their hot spots automatically by default (e.g. T-Mobile in Germany, see EAP-SIM). Sure, some hot spots isolate clients, but I wouldn't trust that to be the case 100 % of the time.
Some vulnerabilities are of rather theoretical nature because a set of very specific conditions have to be met. Being on the same wireless network is not a very high barrier.
Would be good to have a concrete way to find out if one is vulnerable or not. Exactly what version of OS software from Apple includes the patches?
Most of that info is in here and the CVE's that Apple do patch are official in the release notes that Apple priovides with the update.
Now, not all of the discovered flaws has CVE-IDs, but they do mention why in the document.
They also mention the CVE's in the document and what patch that fixes it.
"The Oligo Security research team reported 23 vulnerabilities to Apple. All of the flaws have ultimately been fixed, but not all of them received CVE-IDs. In some cases, Apple has grouped certain vulnerabilities into a single CVE based on their remediation method and time of resolution, rather than by vulnerability type, impact, or location in the AirPlay Protocol code."
Airborne: Wormable Zero-Click RCE in Apple AirPlay Puts Billions of Devices at Risk | Oligo Security | Oligo Security
Oligo Security reveals AirBorne, a new set of vulnerabilities in Apple’s AirPlay protocol and SDK. Learn how zero-click RCEs, ACL bypasses, and wormable exploits could endanger Apple and IoT devices worldwide — and how to protect yourself.
www.oligo.security
So you agree then that you didn't understand the situation. Also, of course it is, as most people constantly have meetings with people from outside the office.
Lock that down how, never have a meeting with anyone? How do people from two companies meet and present, maybe in a shared space? I hope you see where it goes from there... AirPlay is constantly used everywhere on shared devices.
But I don’t think that’s the only barrier?
Warning: By talking about germs and why infecting the human body is difficult, I am not condoning bad hygiene or licking doorknobs.
The public network would have to allow traffic on the AirPlay port, right? A quick search says that’s port 3689. Many (but not all!) “public” networks do in fact limit the types of traffic, and ports are one of the ways. Now, if AirPlay is a common use case for a particular public network, then so be it, it’s probably opened.
This is one of the reasons you (or at least I) haven’t seen shared resources on a “public” network since around 2010. It’s often port 80 or gtfo.
Related security/port story: For a CS project I was trying to use a set of ports (for reasons I can’t remember). They didn’t work, so in an attempt to trouble shoot I kept trying additional ports looking for one I could use. My network access was killed a split second later, and IT called me. That was 2007
While your local hole in the wall coffee shop isn’t likely to have the sophistication of a school of 2000 kids in 2007, networks have had relatively hidden security features for decades. It’s not just “password or no password”.
I don’t doubt it exists, but have you ever seen a corp out there with company resources on a public and open network?! Even my tiny neighborhood pub and the bakery have that on a separate network. If a client really needs to connect to business hardware, I’m sure a login/password can be provided…
Again, I don’t doubt it exists (8 billion humans and all), I’m just curious if anyone has ever seen it, and what kind of company it was!
Verizon automatically connects you to their WiFi. AT&T did the same when I was with them. Apple stores do it too.
I was recently looking at managed wireless networks I had unwittingly connected to so I turned off auto-join.
While the ease of joining a carrier approved or an Apple Store network may be convenient for some customers, IMO it is a security issue. At the very least, it's a breach of my trust in the eco system. ASK me if I want to join - don't hard code it into the OS. I should be able to decide who's network I trust
Simple answer: Anything below Ventura is fully vulnerable, with some patches looking like they only are being applied to Sequoia or maybe those only effect Sequoia.
Us older Mac users—we are brave and live on the real cutting edge.
This would be useful information — the AirPort firmware has not been updated since 2019 (versions 7.8.1 and 7.9.1) — I have four 2nd-generation Expresses used only for Airplay 2 audio on a WiFi 7 mesh network. There’s also a Time Capsule connected via Ethernet that only functions as a storage device for Time Machine, but it’s accessible from the network. Are they vulnerable, in theory? It is not a public network, but still, I’m curious. Should Apple update this firmware?
Last edited:
From the sound of it, the vulnerability allowed an actual virus that can jump from device to device, so the author of the virus doesn't need to know the owner of the car, but can infect it anyway. Like the Blaster virus from Windows XP era, that forced Microsoft to completely re-think PC security.
I agree with you but this would wreck most user’s experience out of the box especially with regard to sync etc.
The amount of services now is ridiculous though, and even more so than there’s no good master list which Apple should provide so you can cross check and disable what you don’t need. Malware is out there that has similar names to Apple services and sometimes there is NO documentation for a given real Apple Service.
I have a windows machine debloated and with more than half of the default services disabled (I did this manually, service by service) and it is incredibly responsive now despite being years old.
The first recent Apple machine that felt as responsive to me is the M4 Max and it has 3-4x the single core performance so that checks out, but there’s a bunch of stuff running in the background I will never use.
Fighting the daemons is a pain in the ass on macOS.
I think this is people writing an article to make it sound scarier than it is. Scary things get clicks. It mentioned unpatched devices. Does this mean if I have a currently updated iPhone it’s not vulnerable? There are a lot of specifics that are unclear.
Except apple, quality-wise, has definitely introduced instability with patches. So it's not the same at all. People taking a wait-and-see approach are prudent, not nutjobs. A relatively minor patch to 18 broke physical security keys like yubikey. I wish I had not updated so quickly. It locked me out of iCloud and all my stuff. It's why I traded one of my 16 PMs in for an S25 Ultra. It's a huge self own on Apple's part, they're running fast and loose. How is this not a terrible analogy?
Simple answer: Anything below Ventura is fully vulnerable, with some patches looking like they only are being applied to Sequoia or maybe those only effect Sequoia.
Us older Mac users—we are brave and live on the real cutting edge.
Can you tell if these vulnerabilities are only applicable to AirPlay Receiver or if there were other vulnerabilities related to AirPlay, etc? If the former, then only Monterey, the first version of macOS to include AirPlay Receiver, would be left vulnerable after the last round of patches/security updates.
It means any Apple devices you own should be on an OS/firmware March 31, 2025 or later from this list:
Apple security releases - Apple Support
This document lists security updates and Rapid Security Responses for Apple software.
Ditto for any 3rd-party devices that include AirPlay (which except for reverse engineered versions have to use Apple's SDK). So any Roku, LG, Samsung, etc TV should be on firmware that includes AirPlay video SDK 3.6.0.126 or later. Audio devices need to be updated to firmware that includes AirPlay audio SDK 2.7.1 or later. Any car with CarPlay should be on R18.1 or later. Good luck getting everyone in your family to keep up with that.
Then where this gets tricky is if an attacker uses one of these devices as a base to launch attach or more interesting devices. That is, maybe your TV is not an exciting target by itself (but maybe it has a camera and/or a microphone?) but if you connect to it from your phone, malware on the TV could attack your phone once connected.
In the boardroom example presented earlier, maybe your TV is not on a trusted network, but what happens if a presenter's computer infects the TV which then infects your executives' laptops the next time they connect to it?
To paraphrase, when you connect your computer to a network, you connect it to every computer that has ever connected to that network...
I agree in an extreme it could make the user experience a little less seamless but in many cases it should unnoticeable. For example, I don't use iCloud/iCloud Drive. I'm not logged in to it and it is unchecked. No need for its related daemons to ever run not to mention remain running. If I turn iCloud on, by all means start those services. But until then leave them off. Only running services if and only if they are enabled would hardly be an Apple innovation -- standard in UNIX for decades before MacOS X. And I recall -- but don't have access to check -- earlier versions of MacOS X were much better about this.
Agree completely. Unfortunately.
Last edited:
It's not a realistic vector of attack to be honest. This article sells up on fear- mongering over what is, essentially a proof of concept for everything. Of the targets only the Mac would make for an interesting angle, and even then, you'd have to develop the payload since none exists. Good on them for hustling for the bounty though, I'm sure it's a good chunk of change.It means any Apple devices you own should be on an OS/firmware March 31, 2025 or later from this list:
Apple security releases - Apple Support
This document lists security updates and Rapid Security Responses for Apple software.support.apple.com
Ditto for any 3rd-party devices that include AirPlay (which except for reverse engineered versions have to use Apple's SDK). So any Roku, LG, Samsung, etc TV should be on firmware that includes AirPlay video SDK 3.6.0.126 or later. Audio devices need to be updated to firmware that includes AirPlay audio SDK 2.7.1 or later. Any car with CarPlay should be on R18.1 or later. Good luck getting everyone in your family to keep up with that.
Then where this gets tricky is if an attacker uses one of these devices as a base to launch attach or more interesting devices. That is, maybe your TV is not an exciting target by itself (but maybe it has a camera and/or a microphone?) but if you connect to it from your phone, malware on the TV could attack your phone once connected.
In the boardroom example presented earlier, maybe your TV is not on a trusted network, but what happens if a presenter's computer infects the TV which then infects your executives' laptops the next time they connect to it?
To paraphrase, when you connect your computer to a network, you connect it to every computer that has ever connected to that network...
Last edited: