Bluetooth, Wi-Fi, and Root Access in the Trunk: Hackers Learn to Break into Cars via Apple CarPlay
All it takes for a successful attack is a smartphone and half a minute.
All it takes for a successful attack is a smartphone and half a minute.
Researchers from Oligo Security have discovered a vulnerability in Apple CarPlay that allows for remote code execution with root privileges, granting full control over a car's infotainment system. The flaw is registered as CVE-2025-24132 and affects the implementation of the AirPlay protocol in CarPlay.
The vulnerability affects AirPlay Audio SDK versions prior to 2.7.1, AirPlay Video SDK versions prior to 3.6.0.126, and CarPlay Communication Plug-in versions up to and including R18.1. The issue was demonstrated at the DefCon 33 conference as part of the "Pwn My Ride" presentation. The experiment showed that an attacker can combine the use of Bluetooth and Wi-Fi to infiltrate a car's system without any interaction from the driver.
Wireless CarPlay uses a combination of protocols: iAP2 over Bluetooth handles network parameter setup, while AirPlay over Wi-Fi is used for mirroring the iPhone's screen. The researchers found that an attack only requires a Bluetooth radio module to initiate a "Just Works" simplified pairing. After this, the attacker obtains the SSID and password for the hidden CarPlay Wi-Fi network and can trigger a buffer overflow in the AirPlay stack. This provides the ability to execute code at the kernel level.
Although Apple released patched versions of the SDKs on April 29, 2025, manufacturers of automotive infotainment systems rarely implement updates quickly. For most models, an update requires a visit to a service center or installation via a USB drive, leaving millions of cars vulnerable even months after the patches were published.
The researchers did not disclose all the exploitation details to give vendors time to adapt the updates. Nevertheless, they confirmed successful root access acquisition in various CarPlay implementations. Particular attention is paid to the wireless connection: unlike the wired option, it allows for remote attacks on the car, requiring only that the attacker act within the short "window" of device discovery during pairing.
The problem is exacerbated by a fragmented supply chain: car manufacturers, head unit suppliers, middleware developers, and aftermarket solution integrators must all independently update the SDK, test for compatibility, and distribute the firmware. Modern models with support for over-the-air (OTA) updates may receive fixes faster, but for most car owners, the risk will persist for a long time.
Specialists recommend that companies using CarPlay in fleet operations check their firmware versions and establish strict update policies. Automakers and equipment suppliers need to accelerate the integration of the patched SDKs and optimize the validation process.
