Top Highlights
-
Persistent Vulnerability: Approximately six months after a fix was released for a zero-click vulnerability in Apple CarPlay (CVE-2025-24132), few vendors and no car manufacturers have implemented the necessary patches.
-
Ease of Exploitation: Attackers can exploit this vulnerability through simple USB or Bluetooth connections, often with no user interaction required, posing a significant risk of unauthorized access to vehicle systems.
-
Serious Implications: The vulnerability allows for remote code execution with root privileges, enabling potential misuse such as tracking driver locations, eavesdropping, or creating distractions while driving.
- Challenges in Patching: The automotive industry struggles with patch implementation due to slow update cycles, lack of standardization, and complex coordination among manufacturers and software vendors, highlighting the urgent need for improved automotive cybersecurity measures.
[gptAs a technology journalist, write a short news story divided in two subheadings, at 12th grade reading level about ‘Apple CarPlay RCE Exploit Left Unaddressed in Most Cars’in short sentences using transition words, in an informative and explanatory tone, from the perspective of an insightful Tech News Editor, ensure clarity, consistency, and accessibility. Use concise, factual language and avoid jargon that may confuse readers. Maintain a neutral yet engaging tone to provide balanced perspectives on practicality, possible widespread adoption, and contribution to the human journey. Avoid passive voice. The article should provide relatable insights based on the following information ‘
Nearly half a year since its patch was released, few vendors and no manufacturers have fixed a zero-click vulnerability in Apple CarPlay.
On April 29, researchers from Oligo Security disclosed a buffer overflow vulnerability that could allow attackers free reign over CarPlay. As a bonus, under most conditions, it requires no user interaction nor authentication. Assigned CVE-2025-24132, it received a “medium” 6.5 severity score in the Common Vulnerability Scoring System (CVSS).
Patches have been available ever since. Yet four and a half months later, the researchers have reported that just a small number of vendors and no car manufacturers have actually fixed their systems, with little prospect that they will in any near future.
Exploiting Apple CarPlay via CVE-2025-24132
To exploit CVE-2025-24132, attackers must gain entry to CarPlay either via a USB connection or over the Internet. If they’re within a near enough distance, and the vehicle’s network password is simple enough to guess, then the job is easy. If not — or if, for security reasons, the car doesn’t advertise its network to the public — they’d need a different route.
The way around would be Bluetooth. Lucky for them, many cars use “Just Works” Bluetooth pairing, allowing any device to pair without restriction. Some Bluetooth configurations require that a user enter a PIN displayed on an in-vehicle infotainment (IVI) screen, in which case this exploit becomes one-click. In the worst case scenario, some systems won’t be discoverable by default, and an individual sitting in the car will have to perform hands-on actions.
Usually, those extra steps aren’t necessary. “We don’t have exact percentages, because it varies by vendor and model, but our testing found that a significant number of systems rely on Just Works Bluetooth pairing, and many older and third-party head units use default or predictable Wi-Fi passwords,” reports Oligo Security researcher Uri Katz. “Newer vehicles are improving, but legacy systems (which stay on the road for years) often ship with minimal pairing protections — this is an issue for many other IoT devices today as well.”
The path from a general Bluetooth connection to CarPlay takeover runs through Apple’s iAP2 protocol. iAP2 is what establishes a session between a mobile device and an IVI and, among other things, communicates network credentials. Crucially, it only authenticates in one direction — the external device will confirm that it’s connecting to a legitimate IVI, but the IVI will not return the favor. Thanks to this, an attacker can mask their own computer as, say, an iPhone, grab network credentials, connect to the vehicle as a real iPhone would, and begin issuing orders.
Oligo Security is still concealing the technical details of CVE-2025-24132, giving vendors far more rope than typically required by responsible disclosure best practice. An Apple security update from April indicated that the issue has to do with app termination. Whatever the specifics, it’s an issue with the AirPlay software development kit (SDK) that allows for remote code execution (RCE) with root privileges.
With root-level RCE, any conceivable consequence is on the table, from spying on drivers’ locations to eavesdropping on their conversations, or even distracting them while they’re on the road. Due to the scope of their study, though, the researchers are unable to say if an attacker could use this access to delve deeper into the vehicle’s internal safety-critical systems.
Why Vehicles Are So Tough to Patch
More concerning than the bug itself is the way it’s been received by the automotive industry. Apple released fixes back on March 31, then coordinated disclosure with Oligo on April 29. In the time since, Oligo reports, only a select few vendors have actually implemented that fix, and no car manufacturers have done so.
This, the researchers acknowledged, is not borne of apathy or ignorance alone. Ensuring that all vendors that rely on a specific SDK all implement a fix for it can be a pain, especially in the automotive space, where update cycles can be slow and their requirements cumbersome.
Katz explains that “the core challenge is lack of standardization. Unlike phones that update overnight, many in-vehicle systems still require manual installs by users or dealership visits. Even when Apple shipped the patched SDK, automakers must adapt, test, and validate it across their platforms, requiring coordination with suppliers and middleware providers.”
The structural fixes he suggests are wider adoption of over-the-air (OTA) update pipelines and, more broadly, smoother coordination in supply chains. Katz points out that “the technology exists, but the organizational alignment hasn’t caught up.”
‘. Do not end the article by saying In Conclusion or In Summary. Do not include names or provide a placeholder of authors or source. Make Sure the subheadings are in between html tags of
[/gpt3]
Discover More Technology Insights
Explore the future of technology with our detailed insights on Artificial Intelligence.
Access comprehensive resources on technology by visiting Wikipedia.
CyberRisk-V1
