AirPlay, the wireless streaming feature many Apple users rely on daily, may be more vulnerable than you think. Cybersecurity firm Oligo has revealed several flaws in Apple’s AirPlay system that could let hackers take control of your devices and spread harmful software across your entire network.
These flaws—found in both the AirPlay protocol and the software developers use to build AirPlay features—were discovered by Oligo’s security researchers and reported by Wired on June 28. The vulnerabilities the team named “AirBorne” could allow hackers to break into your network if you’re not careful.
How the AirPlay bugs work
Oligo says two of the bugs are what experts call “wormable.” That means a hacker could take over a single AirPlay device and use it to spread malware across every other device connected to the same network. While this might sound alarming, the attacker must be on your Wi-Fi network — they can’t break in from the outside.
If they are on your network, the risks increase. Oligo warns that attackers could run their code on your devices (a method known as an RCE, or remote code execution, attack). They could steal your files, listen to conversations, and even show unwanted images on screens like smart TVs or speakers. In one case, the team showed how an AirPlay-enabled Bose speaker could display a hacker-controlled image or eavesdrop by turning on the speaker’s microphone.
The threat isn’t limited to Apple-made devices either. Oligo points out that many third-party products — such as smart TVs, standalone speakers, and home theatre systems — use AirPlay. These may still be vulnerable if they haven’t received security updates.
Public Wi-Fi and CarPlay risks
You might feel secure at home, but Oligo warns that the dangers grow when you connect to public networks like cafes, airports, or hotels. If your iPhone, iPad, or MacBook uses an older version of Apple’s software and connects to a shared Wi-Fi network, you could unknowingly open yourself to attack.
The risk also extends to CarPlay, the Apple system used in vehicles. According to Oligo, hackers could carry out an RCE attack through a car’s Wi-Fi hotspot — especially if the default password hasn’t been changed. Once inside the system, they could display images on your dashboard screen or even track your car’s location.
Apple has responded — but you still need to update
Apple has already patched these bugs in its latest software updates, which means you should be protected if you’re using Apple’s most recent operating systems. However, the same can’t be said for third-party devices using AirPlay. While Apple has released patches that other companies can apply, it doesn’t directly control how or when they do so.
A cybersecurity expert told Wired that each manufacturer is responsible for updating their products—and that doesn’t always happen quickly.
Oligo reminds users that millions of third-party AirPlay devices are in homes and vehicles worldwide. CarPlay, in particular, is found in over 800 vehicle models. That means the potential for harm is widespread, especially for those who don’t regularly update their systems or use default passwords.
To protect yourself, ensure your devices are running the latest Apple software, avoid public Wi-Fi when possible, and constantly update any third-party gear you use for streaming.