At this year's DefCon 33 security conference, security researchers unveiled a major flaw in Apple's CarPlay system that could allow hackers to take control of a car's infotainment system -- all without the driver clicking a thing -- a true zero-click exploit.
The demonstration, titled "Pwn My Ride", shed light on how attackers could exploit weaknesses in the wireless version of CarPlay to run malicious code and gain full system access -- leaving millions of vehicles potentially at risk.
The Vulnerability At The Core
The critical flaw, tracked as CVE-2025-24132, is a stack buffer overflow found in Apple's AirPlay software development kit (SDK), the same protocol that is used to wirelessly mirror iPhone screens.
The vulnerability can be triggered once an attacker joins the vehicle's Wi-Fi network. It allows them to execute malicious code with root privileges -- the highest level of system access -- effectively giving them complete control of the multimedia system.
Researchers from Oligo Security explained in a blog post that the attack chain starts with Bluetooth pairing, which many cars still configure in "Just Works" mode. This insecure setup means a hacker can easily connect without needing a PIN code.
After pairing, the hacker takes advantage of a design flaw in the iAP2 protocol -- the communication bridge between CarPlay and the iPhone. In this setup, the car verifies if the phone is legitimate, but the phone doesn't check the car in return. This gap allows a hacker's device to impersonate as an iPhone, trick the car into handing over its Wi-Fi password, and gain entry to the in-car network.
Once connected to Wi-Fi, the hacker can trigger the AirPlay vulnerability to seize control of the infotainment system. In many cases, the takeover requires no interaction from the driver and takes place completely in the background.
Patches Exist, But Cars Lag Behind
Apple quietly fixed the AirPlay vulnerability back in April 2025, but here's the problem: very few car manufacturers have rolled out the update. Unlike smartphones or laptops, which receive automatic over-the-air (OTA) updates overnight, vehicles often depend on dealership visits, manual USB installs, or slow testing cycles before updates reach drivers.
Automakers must adapt Apple's patch, test it on their specific hardware, and validate it across different suppliers. This fragmented process can take months, if not years, leaving millions of cars exposed months after the patch was issued.
"The result is a long tail of exposure. While high-end models with robust OTA pipelines may be patched quickly, many others take months, years, or never receive the update at all. That leaves millions of vehicles potentially exposed - long after an "official" fix exists," the researchers warned.
Why It Matters
While the vulnerability doesn't give hackers control over steering or brakes, it allows attackers to spy on drivers by tampering with apps or microphones, intercept communications or navigation data, install persistent malware in the infotainment system, or use the system as a stepping stone to other parts of the vehicle.
Security experts caution that car owners can't fix the issue on their own -- it's up to automakers and suppliers to adopt Apple's patched SDK and send it out to vehicles. Until then, drivers using wired CarPlay connections are safe, since they require physical access to exploit the vehicle.
As cars become more connected, the gap between innovation and safety will continue to put drivers at risk -- and the road to patching them isn't always smooth.