AirPlay security flaws could help hackers spread malware on your network

Cybersecurity firm Oligo has detailed a set of vulnerabilities its researchers found in Apple’s AirPlay protocol and software development kit that could serve as a point of entry to infect other devices on your network, Wired reports.

Oligo’s researchers refer to the vulnerabilities and attacks they enable as “AirBorne.” According to Oligo, two of the bugs it found are “wormable” and could let attackers take over an AirPlay device and spread malware throughout “any local network the infected device connects to.” That said, they would need to already be on the same network as the device to carry out the attack.

Other possible outcomes of an attack include hackers remotely executing code on your devices (also called an RCE attack), accessing local files and sensitive information, and carrying out denial-of-service attacks, Oligo says. It adds that an attacker could also show images on something like a smart speaker’s display — as demonstrated with an AirPlay-enabled Bose speaker in the video below — or tap into the speaker’s microphone to listen to nearby conversations.

What do you think about casting features like Airplay, Miracast, or Chromecast? I know that past conversations on TV boxes haven’t really considered this factor at all.

At least from my experience, having an Airplay-enabled device means broadcasting that device name and info to everyone in a nearby radius (especially in dormitory enviroments). I’m not sure how dangerous that could be though.

I don’t, to be honest. People who are tech savvy and in the know would always avoid using such features and have their set up be different in such a manner that this would not even be a concern/issue. Really wish more people knew what’s what with tech and why but education and awareness is the issue.

It’s useful, I use it a lot. You can set it so only your devices can use it, everyone on your network, or everyone even who aren’t on your network. You can also set a password that someone needs to type to stream to your device, Don’t think there’s any way around needing to advertise your device name unfortunately, and opening your device up for connections is going to leave the possibility of vulnerabilities being exploited. Apple says they fixed the exploits, hopefully they harden AirPlay’s security in general so this doesn’t happen again.