AirPlay Bug Lets Hackers Spy On You Through Speakers, Cars, and Macs

A new set of critical vulnerabilities discovered in Apple’s AirPlay protocol could allow hackers to hijack Apple devices—and even third-party devices like smart TVs and car infotainment systems—without any user interaction.

Cybersecurity firm Oligo Security revealed the flaws, which they’ve dubbed AirBorne, saying the vulnerabilities enable “zero-click” and “one-click” remote code execution (RCE). In other words, hackers can take control of a device just by being on the same Wi-Fi network, without the user doing anything.

In the worst cases, attackers don’t even need users to click anything. The researchers explained that the attack could spread across devices automatically. Oligo showed how a simple WiFi connection could be used to hijack a Mac, speaker, or even a car’s entertainment system.

“The amount of devices that were vulnerable to these issues, that’s what alarms me,” said Uri Katz, a researcher at Oligo Security, as reported by WIRED. “When was the last time you updated your speaker?” Uri asked.

Two of the most dangerous bugs (CVE-2025-24252 and CVE-2025-24132) can let hackers quietly install malware on a device, and use it to spread across other systems on the same network. This could lead to data theft, spying, ransomware, or supply-chain attacks.

AirPlay is used by Apple devices like iPhones, iPads, MacBooks, and Apple TVs to stream content between devices. It’s also integrated into many third-party gadgets—possibly tens of millions—including speakers, smart TVs, and over 800 car models with CarPlay.

Some of the flaws can be used to spread malware across networks, making AirBorne “wormable.” That means a single infected device could be used to automatically spread malicious code to others nearby.

“A victim device is compromised while using public WiFi, then connects to their employer’s network – providing a path for the attacker to take over additional devices on that network. ” Oligo explained.

Oligo says the worst vulnerabilities (like CVE-2025-24252) can give hackers complete control over MacBooks with AirPlay turned on. In another example, flaws in third-party speakers could allow eavesdropping through built-in microphones.

In response, Apple told WIRED that the flaws have been patched and stressed that attackers would still need to be on the same local network as the target. The company also noted that personal data on devices like TVs and speakers is usually minimal.

However, many users might not realize their home or car devices are affected, or that they need updating.

Attack examples include playing unwanted audio, spying via microphones, tracking car locations, and even logging Mac users out remotely.

The flaws mostly relate to how AirPlay handles ‘plists’, the Apple data files used to send commands between devices. Improper parsing of these files creates openings for attackers.

Oligo and Apple advise users to update all Apple and AirPlay-enabled devices immediately. They also recommend turning off the AirPlay receiver if not in use, limiting AirPlay access to known devices, and adjusting settings to “Current User” to reduce risks.