Do you use AirPlay to send videos from an iPhone, iPad, or Mac to a television or play music through a smart speaker? Then friends, you are in for a treat. Thanks to a vulnerability in not just Apple’s operating system, but the ecosystem-wide AirPlay software development kit (SDK), over two billion devices are vulnerable to a zero-click remote code execution bug. And it only gets worse from there.
The series of vulnerabilities in the AirPlay SDK, collectively dubbed AirBorne, is a rare one in that it doesn’t require any social engineering or user manipulation for an attacker to exploit. All that needs to happen is for the bad actor to be in the general vicinity of a device that implements AirPlay and send a well-crafted message to a vulnerable device, and they can run any code their heart desires on that device. The folks over at Oligo Security discovered the bugs and produced their own proof-of-concept that allowed them to take full control as root on a Mac through Apple Music’s AirPlay implementation.
There are actually a host of vulnerabilities that were all wrapped together to make potential exploits so scary. First of all, they can bypass the Access Control List (ACL) that allows an unauthenticated user to take control of a device. And of course, from there you can say goodbye to your privacy for personal data on the device as encryption keys and passwords are available to a root user. And because it doesn’t take any user intervention, the issue can propagate to other AirPlay devices like wildfire, which means exploits could potentially be wormable.
Devices can get to that state through remote code execution vulnerabilities. A Use After Free bug would allow a bad actor to point to a data address that had supposedly been freed up and reuse the data there. If the data didn’t have its address randomized properly, then a hacker could predict where a piece of data would be and write something else to that location. Then through an approach called “type confusion,” the next time it’s picked up, the data doesn’t conform to the correct type and you can wind up with stack-based overflows and the gates are open.
Your Macs are covered, but the AirBorne vulnerability goes farther than that.
Fortunately for those with Apple devices, the software updates to fix this vulnerability are already out in the wild. Devices running iOS or iPadOS 18.4, macOS 15.4, watchOS 11.3, and visionOS 2.3 or later all have the fixes required to address the problem. So our iPhone 16 Pro and M4 Max Mac Studio are covered, and your iDevices probably are, too. Additionally, Apple has released patches for iPadOS 17 and macOS going back to version 13. And the AirPlay SDK has already been updated and distributed to hardware makers, as well.
But just search HotHardware for the term “AirPlay” and you’ll start to get a feel for the depth and breadth of the issue. According to Apple in January of this year, approximately 2.35 billion devices in the world implement AirPlay. Obviously that includes all the iPhones, iPads, and Macs that users have bought from Cupertino, but it also includes things like smart TVs, smart speakers, home theater receivers, automotive CarPlay-compatible devices (especially those with wireless CarPlay), and more. AirPlay is super convenient for Apple users, because it allows them to talk to devices outside of their ecosystem.
An SDK vulnerability is an especially big deal because no self-respecting hardware manufacturer is going to implement the AirPlay protocol by hand. This author has four TVs in the house, all of which support AirPlay, as well as a home theater receiver and two AirPlay-compatible sound bars in different rooms. All seven of those non-Apple devices are theoretically vulnerable unless a firmware update has been released or I go through each and turn AirPlay off.
The saving grace even for third-party devices is that it’s very unlikely that an exploit of any value could be released universally for all AirPlay devices. Each IoT device with AirPlay could have its own hardware configuration including processor, memory, storage, and OS. At best, you might see (for example) something that targets unpatched LG WebOS devices or Samsung Tizen devices, but even that could be a stretch; it might come down to targeting specific models or specific firmware versions. Still, the fact this has existed for so long is a pretty noteworthy event.
The real problem is that third party manufacturers have to implement the new AirPlay SDK and release updates for their devices. There are likely hundreds of millions of devices in the wild that offer AirPlay yet have reached the end of their software development lifecycle. So you’ll want to check with the manufacturer of each device to ensure that the latest firmware has been applied, and that it includes the fixes disclosed by Oligo. And if there is no update, your best bet is to disable AirPlay on those devices entirely.
