At this yearโs DefCon 33 security conference, security researchers unveiled a major flaw in Appleโs CarPlay system that could allow hackers to take control of a carโs infotainment system โ all without the driver clicking a thing โ a true zero-click exploit.
The demonstration, titled โPwn My Rideโ, shed light on how attackers could exploit weaknesses in the wireless version of CarPlay to run malicious code and gain full system access โ leaving millions of vehicles potentially at risk.
The Vulnerability At The Core
The critical flaw, tracked as CVE-2025-24132, is a stack buffer overflow found in Appleโs AirPlay software development kit (SDK), the same protocol that is used to wirelessly mirror iPhone screens.
The vulnerability can be triggered once an attacker joins the vehicleโs Wi-Fi network. It allows them to execute malicious code with root privileges โ the highest level of system access โ effectively giving them complete control of the multimedia system.
The issue affects:
- AirPlay Audio SDK versions before 2.7.1
- AirPlay Video SDK versions before 3.6.0.126
- CarPlay Communication Plug-in versions before R18.1 (including R18.1 itself)
How The Attack Works
Researchers from Oligo Security explained in a blog post that the attack chain starts with Bluetooth pairing, which many cars still configure in โJust Worksโ mode. This insecure setup means a hacker can easily connect without needing a PIN code.
After pairing, the hacker takes advantage of a design flaw in the iAP2 protocol โ the communication bridge between CarPlay and the iPhone. In this setup, the car verifies if the phone is legitimate, but the phone doesnโt check the car in return. This gap allows a hackerโs device to impersonate as an iPhone, trick the car into handing over its Wi-Fi password, and gain entry to the in-car network.
Once connected to Wi-Fi, the hacker can trigger the AirPlay vulnerability to seize control of the infotainment system. In many cases, the takeover requires no interaction from the driver and takes place completely in the background.
Patches Exist, But Cars Lag Behind
Apple quietly fixed the AirPlay vulnerability back in April 2025, but hereโs the problem: very few car manufacturers have rolled out the update. Unlike smartphones or laptops, which receive automatic over-the-air (OTA) updates overnight, vehicles often depend on dealership visits, manual USB installs, or slow testing cycles before updates reach drivers.
Automakers must adapt Appleโs patch, test it on their specific hardware, and validate it across different suppliers. This fragmented process can take months, if not years, leaving millions of cars exposed months after the patch was issued.
โThe result is a long tail of exposure. While high-end models with robust OTA pipelines may be patched quickly, many others take months, years, or never receive the update at all. That leaves millions of vehicles potentially exposed โ long after an โofficialโ fix exists,” the researchers warned.
Why It Matters
While the vulnerability doesnโt give hackers control over steering or brakes, it allows attackers to spy on drivers by tampering with apps or microphones, intercept communications or navigation data, install persistent malware in the infotainment system, or use the system as a stepping stone to other parts of the vehicle.
Security experts caution that car owners canโt fix the issue on their own โ itโs up to automakers and suppliers to adopt Appleโs patched SDK and send it out to vehicles. Until then, drivers using wired CarPlay connections are safe, since they require physical access to exploit the vehicle.
As cars become more connected, the gap between innovation and safety will continue to put drivers at risk โ and the road to patching them isnโt always smooth.
