Agree, the challenge is now to get people to patch their devices.Looks like quite a serious issue. Anyway happy to see that Apple has fixed the issue for its devices.
Somebody always does that 'bigger problems' fallacy. You're assuming the attacks come from your wifi network or your car. People connect to wifi networks in hotels and at their workplaces, and people connect to rental cars and company cars. Just because you don't doesn't mean nobody does.Most of this stuff sounds cool in a lab, but isn’t real
For example…
“An attacker would need to be on the same Wi-Fi network as the intended victim”
So he has your Wi-Fi password or you’re doing AirPlay over public Wi-Fi?
“This attack vector would require the attacker to be directly in the car”.
If you have an attacker in your car, there’s a lot of attack vectors he can use that don’t involve CarPlay. I think you have bigger problems then your CarPlay being hacked.
Exactly. Depending on your carrier, your iPhone might even connect to their hot spots automatically by default (e.g. T-Mobile in Germany, see EAP-SIM). Sure, some hot spots isolate clients, but I wouldn't trust that to be the case 100 % of the time.Somebody always does that 'bigger problems' fallacy. You're assuming the attacks come from your wifi network or your car. People connect to wifi networks in hotels and at their workplaces, and people connect to rental cars and company cars. Just because you don't doesn't mean nobody does.
Most of that info is in here and the CVE's that Apple do patch are official in the release notes that Apple priovides with the update.Would be good to have a concrete way to find out if one is vulnerable or not. Exactly what version of OS software from Apple includes the patches?
So you agree then that you didn't understand the situation. Also, of course it is, as most people constantly have meetings with people from outside the office.That touchscreen shouldn’t be on guest Wi-Fi, but that scenario would not surprise me
Lock that down how, never have a meeting with anyone? How do people from two companies meet and present, maybe in a shared space? I hope you see where it goes from there... AirPlay is constantly used everywhere on shared devices.I wouldn't work for or with any company that lacked the requisite governance and process management (and TAB/CAB) to lock that down. I know my company told everyone to kick rocks, only approved devices ever touch the network. And zero trust cleans up the rest. If your company gets hit by such low hanging fruit that's negligence and shareholders should sue
Exactly. Depending on your carrier, your iPhone might even connect to their hot spots automatically by default
Being on the same wireless network is not a very high barrier.
So you agree then that you didn't understand the situation. Also, of course it is, as most people constantly have meetings with people from outside the office.
AFAIK, the most critical were patched in 15.3Would be good to have a concrete way to find out if one is vulnerable or not. Exactly what version of OS software from Apple includes the patches?
Verizon automatically connects you to their WiFi. AT&T did the same when I was with them. Apple stores do it too.Exactly. Depending on your carrier, your iPhone might even connect to their hot spots automatically by default (e.g. T-Mobile in Germany, see EAP-SIM). Sure, some hot spots isolate clients, but I wouldn't trust that to be the case 100 % of the time.
Some vulnerabilities are of rather theoretical nature because a set of very specific conditions have to be met. Being on the same wireless network is not a very high barrier.
Simple answer: Anything below Ventura is fully vulnerable, with some patches looking like they only are being applied to Sequoia or maybe those only effect Sequoia.Would be good to have a concrete way to find out if one is vulnerable or not. Exactly what version of OS software from Apple includes the patches?
This would be useful information — the AirPort firmware has not been updated since 2019 (versions 7.8.1 and 7.9.1) — I have four 2nd-generation Expresses used only for Airplay 2 audio on a WiFi 7 mesh network. There’s also a Time Capsule connected via Ethernet that only functions as a storage device for Time Machine, but it’s accessible from the network. Are they vulnerable, in theory? It is not a public network, but still, I’m curious. Should Apple update this firmware?I hope they deploy an update to my dear AirPort Express to patch this.
From the sound of it, the vulnerability allowed an actual virus that can jump from device to device, so the author of the virus doesn't need to know the owner of the car, but can infect it anyway. Like the Blaster virus from Windows XP era, that forced Microsoft to completely re-think PC security.If you have an attacker in your car, there’s a lot of attack vectors he can use that don’t involve CarPlay. I think you have bigger problems then your CarPlay being hacked.
Note that despite all of Sequoia's kabuki theatre to protect us, it was still vulnerable. This is why many of us argue that instead of protecting our computers from us, Apple should be focused on basics. I am not worried about evils maids. I am worried about attacks over the network. The standard for this for decades starts with minimizing the attack surface area.
For years, I've argued for two obvious changes:
1) Don't run daemons/services/etc that aren't enabled. Don't start them, don't wake them, don't run them. If I have it turned off, I don't want to see the process running. I don't want to see log entries for it. I want it off.
2) Apple's services shouldn't be exempt from the firewall by default. The opposite and then the software tested with everything blocked by default rather than giving built-in software a bypass.
I think you didn’t understand my post.So you agree then that you didn't understand the situation. Also, of course it is, as most people constantly have meetings with people from outside the office.
I think this is people writing an article to make it sound scarier than it is. Scary things get clicks. It mentioned unpatched devices. Does this mean if I have a currently updated iPhone it’s not vulnerable? There are a lot of specifics that are unclear.From the sound of it, the vulnerability allowed an actual virus that can jump from device to device, so the author of the virus doesn't need to know the owner of the car, but can infect it anyway. Like the Blaster virus from Windows XP era, that forced Microsoft to completely re-think PC security.
Except apple, quality-wise, has definitely introduced instability with patches. So it's not the same at all. People taking a wait-and-see approach are prudent, not nutjobs. A relatively minor patch to 18 broke physical security keys like yubikey. I wish I had not updated so quickly. It locked me out of iCloud and all my stuff. It's why I traded one of my 16 PMs in for an S25 Ultra. It's a huge self own on Apple's part, they're running fast and loose. How is this not a terrible analogy?Agree, the challenge is now to get people to patch their devices.
There is a good bunch of users out there with a similar mindset that anti-vaxxers has when it comes to patching devices.
Simple answer: Anything below Ventura is fully vulnerable, with some patches looking like they only are being applied to Sequoia or maybe those only effect Sequoia.
Us older Mac users—we are brave and live on the real cutting edge.![]()
I think this is people writing an article to make it sound scarier than it is. Scary things get clicks. It mentioned unpatched devices. Does this mean if I have a currently updated iPhone it’s not vulnerable? There are a lot of specifics that are unclear.
I agree with you but this would wreck most user’s experience out of the box especially with regard to sync etc.
The amount of services now is ridiculous though, and even more so than there’s no good master list which Apple should provide so you can cross check and disable what you don’t need. Malware is out there that has similar names to Apple services and sometimes there is NO documentation for a given real Apple Service.
I have a windows machine debloated and with more than half of the default services disabled (I did this manually, service by service) and it is incredibly responsive now despite being years old.
The first recent Apple machine that felt as responsive to me is the M4 Max and it has 3-4x the single core performance so that checks out, but there’s a bunch of stuff running in the background I will never use.
Fighting the daemons is a pain in the ass on macOS.
It's not a realistic vector of attack to be honest. This article sells up on fear- mongering over what is, essentially a proof of concept for everything. Of the targets only the Mac would make for an interesting angle, and even then, you'd have to develop the payload since none exists. Good on them for hustling for the bounty though, I'm sure it's a good chunk of change.It means any Apple devices you own should be on an OS/firmware March 31, 2025 or later from this list:
Apple security releases - Apple Support
This document lists security updates and Rapid Security Responses for Apple software.support.apple.com
Ditto for any 3rd-party devices that include AirPlay (which except for reverse engineered versions have to use Apple's SDK). So any Roku, LG, Samsung, etc TV should be on firmware that includes AirPlay video SDK 3.6.0.126 or later. Audio devices need to be updated to firmware that includes AirPlay audio SDK 2.7.1 or later. Any car with CarPlay should be on R18.1 or later. Good luck getting everyone in your family to keep up with that.
Then where this gets tricky is if an attacker uses one of these devices as a base to launch attach or more interesting devices. That is, maybe your TV is not an exciting target by itself (but maybe it has a camera and/or a microphone?) but if you connect to it from your phone, malware on the TV could attack your phone once connected.
In the boardroom example presented earlier, maybe your TV is not on a trusted network, but what happens if a presenter's computer infects the TV which then infects your executives' laptops the next time they connect to it?
To paraphrase, when you connect your computer to a network, you connect it to every computer that has ever connected to that network...