Security experts at this year’s Defcon 33 security conference have discovered a major flaw in Apple’s CarPlay system. Hackers could gain complete control of a car’s infotainment system without the driver having to make a single click. Apple CarPlay has been a target of hackers, and it’s known as a true zero-click exploit.
Hackers Target Apple CarPlay
The “Pwn My Ride” demonstration clarify how hackers might take use of flaws in the wireless CarPlay version to execute malicious code and obtain complete system access, possibly endangering millions of vehicles.
Vulnerability core Apple CarPlay is the target of hackers
Known as CVE-2025-24132, the significant vulnerability is a stack buffer overflow in Apple’s AirPlay software development kit (SDK). Which is the same protocol use to wirelessly mirror iPhone screens.
Once an attacker connects to the car’s Wi-Fi network, the vulnerability may be activated. It essentially gives them total control over the multimedia system by enabling them to run malicious programs with root privileges, the greatest level of system access.
The issue affects:
Versions of the AirPlay Audio SDK prior to 2.7.1
Versions of the AirPlay Video SDK prior to 3.6.0.126
Versions of the CarPlay Communication Plug-in prior to R18.1 (including R18.1)
How The Attack Works
The attack chain begins with Bluetooth connection, which many cars still have set up in “Just Works” mode, according to a blog post by Oligo Security researchers. Because of this unsecure configuration, a hacker can connect with ease and without a PIN.
Following pairing, the hacker exploits a weakness in the iAP2 protocol, which serves as the communication link between the iPhone and CarPlay. In this arrangement, the phone does not verify the automobile in return. But the car confirms that the phone is authentic. This loophole allows a hackerβs device to masquerading as an iPhone, deceive the car into passing over its Wi-Fi password, and obtain admission to the in-car network.
The hacker can take over the infotainment system by exploiting the AirPlay vulnerability after connecting to Wi-Fi. The takeover often occurs entirely in the background and doesn’t involve any interaction from the driver.
Patches Exist, But Cars Lag Behind
In April 2025, Apple discreetly patched the AirPlay vulnerability. The issue is that not many automakers have implemented the upgrade. Vehicles may require manual USB installs, dealership visits, or lengthy testing cycles before drivers receive upgrades. In contrast to smartphones or laptops that receive automatic over-the-air (OTA) updates overnight.
Automakers need to modify Apple’s fix, test it on their own hardware, and confirm that it works with various vendors. Millions of cars are left vulnerable months after the fix was release due to this disjoint procedure, which can take months or even years.
A lengthy tail of exposure is the end result. Many models take months, years, or never get the update, although high-end models with strong OTA pipelines might get it rapidly. Long after there is a “official” patch, millions of cars could still be at risk, the experts caution.
Why It Matters
Hackers can spy on drivers by tampering with apps or microphones, intercepting communications or navigation data. Installing persistent malware in the infotainment system, or using the system as a stepping stone to other parts of the vehicle, even though the vulnerability does not grant hackers control over the steering or brakes.
Automakers and suppliers must use Apple’s patch SDK and distribute it to cars. Car owners cannot resolve the problem on their own, security experts warn. Since they need physical access to take advantage of the car. Drivers who use wired CarPlay connections are safe until that time.
The gap between safety and innovation will continue to endanger drivers as automobiles get more link. Fixing them isn’t always easy.
First of all to thank you for the information. The second thing is where you get such information from.