Millions of AirPlay-enabled devices were at risk for months as Apple and security researchers at Oligo worked together to develop and roll out patches for a collection of bugs the researchers dubbed “AirBorne.”
The bugs discovered by the Oligo team would essentially permit any threat actor connected to the same Wi-Fi network as a third-party AirPlay enabled device to run their own code on it. That means anyone connected to the same Wi-Fi as a smart TV, speaker or set-top box at a party, could potentially use that open AirPlay connection to spread malicious code from one device to another.
Infected devices could then be used for a variety of malicious behavior like ransomware, surveillance, espionage or supply-chain infiltration. Since many of these devices also contain microphones, they could hypothetically also be used as listening devices.
The good news is that Apple products regularly receive fixes and all of these AirBorne bugs have been patched at this point. The bad news is that smart home devices, also affected by these vulnerabilities as are CarPlay devices, are very rarely patched so millions of them remain open vectors for this flaw.
AirPlay, Apple’s radio-based protocol for local wireless communication, is popular among users because it is convenient and ‘always-on.’ It’s a security issue for much the same reason – and because manufacturers are able to incorporate the SDK (software developers kit) without having to notify Apple or receive certification to become an approved device, many devices use the protocol without requiring or getting regular updates on their end.
So, while the Apple-based devices have patched the bugs, and while Apple tells Wired that it has developed a patch for the affected third-party devices but it would require users to actually update the devices themselves. Apple also told the news outlet that in order for the AirBorne bugs to deploy correctly on Apple-based devices, the user would have had to change their default AirPlay settings.
While a motivated hacker on a public Wi-Fi network who had brought their own smart-home device may be able to create the right set of circumstances, there are few situations wherein a hacker would find themselves in an ideal situation to spread malware or viruses.
That being said, and we’ve said this before, it is of critical importance to keep your devices updated and to make sure that your smart home devices (and all your accounts for that matter) have strong, unique passwords.
