Hackers could hijack AirPlay & CarPlay devices using set of 'Airborne' flaws
Millions of AirPlay devices are putting users at risk, and hackers don't even need a password to break in. A newly discovered set of flaws, dubbed "AirBorne," exposes Apple's AirPlay and CarPlay technology to attacks from hackers on the same Wi-Fi network.
AirPlay is Apple's wireless streaming technology that lets users send video, audio, and other content between devices on the same network, while CarPlay connects an iPhone to a car's infotainment system for navigation, music, and communication. Both systems are widely used across Apple's ecosystem and in millions of third-party products.
AirPlay's open design made it vulnerable to attacks. According to cybersecurity firm Oligo, the vulnerabilities could allow attackers to hijack third-party smart speakers, TVs, set-top boxes, and other AirPlay-enabled gadgets. Researchers demonstrated that two of the vulnerabilities, CVE-2025-24252 and CVE-2025-24132, can be used to create wormable, zero-click exploits.
In other words, attackers could hijack certain AirPlay-enabled devices without needing any interaction from the user. Compromised devices could be weaponized for serious attacks like espionage, ransomware delivery, supply-chain infiltration, and surveillance. In some cases, attackers could even hijack the microphone of a smart speaker to eavesdrop on conversations or manipulate media playback to cause distractions.
The vulnerabilities stem from AirPlay's open-access design, which was originally built for seamless device pairing over Wi-Fi. Oligo researchers found that AirPlay servers often exposed commands without sufficient access controls, leaving devices vulnerable to remote takeover.
Patch released for Apple's own products
Apple patched its own devices through recent updates, but it has no control over the update process for third-party manufacturers. Oligo warns that many third-party devices, especially older ones, may never receive fixes, leaving them permanently vulnerable.
Risks on public Wi-Fi networks are real
Although an attacker must be on the same Wi-Fi network to exploit AirBorne flaws, public Wi-Fi networks present an obvious danger. Airports, hotels, cafes, and other crowded locations offer ideal environments for attackers to hijack vulnerable devices.
Avoiding exposure is key
Still, people rarely bring smart home devices into these spaces, limiting some of the practical exposure. Some CarPlay-enabled devices could also be vulnerable. If a CarPlay device uses a default, predictable, or weak Wi-Fi password, attackers nearby could gain access and execute a remote code exploit.
Protecting your AirPlay devices
To stay safe, install any available updates for third-party AirPlay devices as soon as they are released. It's also safer to keep these devices on secured home networks and avoid connecting them to public Wi-Fi, where hacking risks are higher.
Securing your own Wi-Fi network is crucial
And, securing your own Wi-Fi network closes nearly every attack vector exposed by "Airborne." Users can disable AirPlay features on devices they don't regularly use to reduce their exposure. In some cases, replacing older smart home products that no longer receive updates may be the best option for maintaining security.