Apple’s AirPlay feature makes it easy to play music or share photos and videos from your iPhone or MacBook to other Apple or non-Apple devices. But a vulnerability has been discovered in the protocol that could allow potential attackers to move freely across the network between devices and spread malware. Apple products are regularly updated, but some smart home devices are not, and they could become springboards for malware, Wired reports.
Image source: apple.com
Cybersecurity experts at Oligo have disclosed a set of vulnerabilities they call AirBorne that threaten Apple’s AirPlay wireless local communications protocol. A bug in the third-party software development kit (SDK) could allow hackers to target a wide range of devices, including speakers, receivers, set-top boxes, and smart TVs, all connected to the same Wi-Fi network as the hacker’s machine. Another set of vulnerabilities in the same AirBorne family could have allowed Apple devices with AirPlay to be used for the same purpose, but the company has patched those vulnerabilities in updates in recent months. The vulnerabilities could only be exploited if users changed default settings, an Apple spokesperson added.
The affected third-party AirPlay-compatible devices number in the tens of millions—a fix that will take years, but the reality is that most of them will remain vulnerable because of a bug in Apple’s software, says Oligo. The company has been helping the tech giant patch AirBorne vulnerabilities for months, but unless consumers start updating their third-party products, nothing will change.
A hacker can enter a Wi-Fi network with vulnerable devices by breaking into a computer on a home or corporate network, or by connecting to Wi-Fi at a cafe or airport. They can then take control of the vulnerable device and use it as a covert entry point, hack other devices on the network, and include them in a botnet that is centrally coordinated. Many of the vulnerable gadgets have microphones, and these can be used for eavesdropping, Oligo says. The experts did not create a reference exploit code to demonstrate the scale of the threat, but they showed how it works using a Bose speaker that showed the Oligo logo.
Oligo alerted Apple to the AirBorne issue last fall, and the manufacturer responded by issuing security updates with the support of the company that identified the issue. Third-party smart speakers and TVs may contain user data, Apple acknowledged, although in small amounts. AirBorne also affected the CarPlay protocol, which is used to connect Apple devices to car infotainment systems, but CarPlay has fewer opportunities for attackers to do so.
On the contrary, devices in home networks seem more suitable targets for hacking – they can become sources of ransomware or controlled by attackers for espionage; at the same time, the consumer in such equipment often does not see a threat at all and does not consider it necessary to update the software for it. The AirBorne set of vulnerabilities in Oligo was discovered by accident, when working on another project. The situation is aggravated by the fact that some manufacturers include AirPlay support in their products without notifying Apple and without giving the product the status of “certified”.