CarPlay functionality remains lacking in numerous automobiles that support AirPlay.
In a concerning development for car owners, researchers from Oligo Security have discovered a security vulnerability affecting Apple's in-car entertainment system, CarPlay, due to its wireless protocol being based on AirPlay. This vulnerability, named 'Pwn My Ride', could potentially grant root privileges to attackers, allowing them to manipulate the system, steal data, or spy.
The researchers published a paper about their findings last week, focusing on the wireless scenario in their study. Initially, it was unclear whether attacks were possible via a wired connection in vehicles that do not support wireless CarPlay. However, the team found that depending on the vehicle model, even older versions of AirPlay Audio, AirPlay Video, and CarPlay Communication Plug-in may allow zero-click attacks without user interaction.
The vulnerability can be exploited when a device is connected to a car's multimedia system. In a demonstration video, Oligo Security showed how they could place a 'Hacked' image on the screen of the entertainment system after logging in to the Wi-Fi hotspot of the car. The car helps attackers as the Wi-Fi password is transmitted via the iAP2 protocol.
This discovery comes after experts from Oligo Security discovered similar vulnerabilities in Apple's local streaming protocol, AirPlay, affecting various devices on the same Wi-Fi network, in April. Apple has patched the vulnerabilities in its operating systems, but manufacturers of AirPlay-enabled devices and car systems are lagging behind in patching.
Car manufacturers are now being called upon to solve the problem, as several million vehicles on the road may still be unpatched. The issue is particularly difficult due to slow, fragmented, and manual update cycles in the automotive industry. Firmware updates for vehicles are often not over-the-air (OTA) but possible via USB stick and/or only in the workshop.
It's worth noting that there is no publicly available comprehensive list specifying which automobile manufacturers have not yet fixed the CarPlay security vulnerability based on AirPlay. Oligo Security wrote that it is challenging to ensure every provider that relies on Apple's AirPlay SDK implements the correction and passes it on to end users. The attacker needs knowledge of the CarPlay implementation of the vehicle, but frequently used systems are a concern.
In a prank-like demonstration, Oligo Security showed how they could prank screens of speakers with the AirPlay vulnerability. With root access to the entertainment system, an attacker can manipulate the system, steal data, or spy.
As the automotive industry moves towards more connected and autonomous vehicles, the importance of securing these systems cannot be overstated. Car manufacturers and technology providers must prioritise security to protect drivers and passengers from potential threats.
Read also:
- Cyber Attack Nets $14 Million from WOO X Across Four Different Blockchains
- Nigerian Securities and Exchange Commission (SEC) teams up with Chainalysis to combat cryptocurrency fraud activities
- International marketing firm We Are Social intensifies global strategy for gaming industry
- Server Hazards: Top 4 Pests Imperiling Your Data Center and Preventive Measures
