Security vulnerabilities discovered in Apple's AirPlay SDK mean that millions of devices could be hacked by attackers. The flaw has been dubbed AirBorne.
Related vulnerabilities would also have allowed hackers to attack Apple devices too, but the iPhone maker says it has issued fixes for these in the past few months. CarPlay devices are also vulnerable, though the real-life risks there are very low …
AirPlay is the Wi-Fi-based protocol that allows Apple devices like iPhones, iPads, and Macs to wirelessly send audio and video to third-party speakers, audio receiver, set-top boxes, and smart TVs.
Wired reports that a vulnerability in Apple's software development kit (SDK) means that tens of millions of those devices could be compromised by an attacker.
On Tuesday, researchers from the cybersecurity firm Oligo revealed what they're calling AirBorne, a collection of vulnerabilities affecting AirPlay, Apple's proprietary radio-based protocol for local wireless communication. Bugs in Apple's AirPlay software development kit (SDK) for third-party devices would allow hackers to hijack gadgets like speakers, receivers, set-top boxes, or smart TVs if they're on the same Wi-Fi network as the hacker's machine […]
Oligo's chief technology officer and cofounder, Gal Elbaz, estimates that potentially vulnerable third-party AirPlay-enabled devices number in the tens of millions. “Because AirPlay is supported in such a wide variety of devices, there are a lot that will take years to patch—or they will never be patched,” Elbaz says. “And it's all because of vulnerabilities in one piece of software that affects everything.”
For consumers, an attacker would first need to gain access to your home Wi-Fi network. The risk of this depends on the security of your router: millions of wireless routers also have serious security flaws, but access would be limited to the range of your Wi-Fi.
AirPlay devices on public networks, like those used everywhere from coffee shops to airports, would allow direct access.
The researchers say the worst-case scenario would be an attacker gaining access to the microphones in an AirPlay device, such as those in smart speakers. However, they have not demonstrated this capability, meaning it remains theoretical for now.
The researchers followed standard practice in reporting the issues to Apple and waiting for the company to issue security fixes before disclosing the vulnerabilities. Apple says it has issued patches for all its own devices, as well as making fixes available to the makers of third-party products.
Check out the Wired piece for a proof-of-concept video, in which researchers exploit AirBorne to display their company logo on a Bose speaker.
CarPlay devices are also vulnerable to AirBorne, though in that case an attacker would need to be able to pair their device, making it a far smaller real-life risk.
9to5Mac's Take
The risks here aren't enormous, but it's worth ensuring you install any security updates issued for your AirPlay devices. It's of course always good practice to keep all of your tech updated.
Highlighted accessories
Image: Oligo
FTC: We use income earning auto affiliate links. More.
