Security researchers have uncovered serious vulnerabilities in Apple's AirPlay and CarPlay technologies that could allow hackers to remotely hijack millions of devices without requiring user interaction or passwords.
The collection of security flaws, named "AirBorne" by cybersecurity firm Oligo, affects both Apple's own products and third-party devices that use AirPlay technology for wireless streaming of audio, video, and other content.
Two particularly concerning vulnerabilities (CVE-2025-24252 and CVE-2025-24132) enable "wormable" zero-click exploits, meaning attackers on the same Wi-Fi network could take control of vulnerable devices without any user action required.
Once compromised, affected devices like smart speakers and TVs could be used for espionage, ransomware distribution, or surveillance. Attackers could potentially access microphones to record conversations or manipulate media playback.
The root cause stems from AirPlay's open-access design intended for easy Wi-Fi device pairing. Researchers found many AirPlay servers exposed control commands without proper security measures.
While Apple has patched its own devices through recent updates, millions of third-party AirPlay products remain vulnerable. Many older devices may never receive security fixes, leaving them permanently at risk.
Public Wi-Fi networks pose the greatest threat, as attackers could target vulnerable devices in crowded spaces like airports, hotels and cafes. CarPlay systems are also at risk if they use weak Wi-Fi passwords or expose credentials during Bluetooth pairing.
To protect against AirBorne attacks, users should:
- Install all available updates for AirPlay devices
- Keep devices on secured home networks
- Avoid connecting to public Wi-Fi
- Disable unused AirPlay features
- Consider replacing old devices that no longer receive updates
The discovery highlights growing security concerns around smart home devices and connected car systems that may lack proper security controls despite handling sensitive data and functions.