How can you protect your home or office network from attacks against the AirBorne defects in AirPlay?
In a hurry?
The only options to protect a network from an attack against the AirBorne vulnerabilities are to:
- update the firmware or system software to patch all the devices running AirPlay;
- disable the AirPlay service (if possible) on all devices (including AirPort Express) which cannot be patched; or
- power OFF and unplug all AirPlay devices which cannot be updated.
Got a moment for a few more details?
First, a little important background.
AirPlay is Software That Runs on Many Devices, Not Just Macs and iPhones
AirPlay is an easy to use and widely available technology.
In addition to about 2.3 billion devices (of all types) made by Apple, there are hundreds of millions or possibly billions of devices made by other manufacturers that support AirPlay.
You may have devices in your home or office running AirPlay and you haven't realized it, yet, particularly if you live in an apartment building or an urban neighborhood with many nearby WiFi devices and services.
The AirBorne Vulnerabilities Could Be Exploited by a Worm
Security researchers recently discovered several defects in the AirPlay protocol and software stack, some of which make systems running AirPlay vulnerable to a type of attack known as RCE (Remote Command Execution).
They demonstrated that two of these defects are "wormable" which means that a program (called a "worm") can copy itself onto a device, and use that device as a platform to probe for other devices.
A worm could spread by infecting a phone, and then copy itself to other devices running AirPlay during the course of an ordinary day, infecting many other vulnerable devices on many networks as the phone is carried around.
Modern worms can carry many payloads, giving them the ability to hop between different kinds of devices, with different host operating systems. A worm could leap from an iPhone running iOS to a television running Linux, to an Apple TV running tvOS.
How Dangerous Could an AirBorne Worm Be, Really?
An AirBorne worm could attack your AirPlay devices without being logged into your WiFi Network. You don't need to "let it on to your network" for a worm to attack a vulnerable (unpatched) AirPlay device. A strong WiFi password won't protect vulnerable AirPlay devices from attack, because AirPlay includes "peer to peer" connection types.
Worms can also carry payloads to exploit different types of defects. A hypothetical worm spreading via AirBorne vulnerabilities could get inside a network via AirPlay and then probe for and exploit other defects on other devices, such as IoT (Internet of Things gadgets that don't run AirPlay but may have other defects.
Devices running AirPlay sometimes have username and password information for things like streaming services subscriptions that could be harvested by malware. With that information the bot masters could log into your accounts and steal other information, or purchase services. If they didn't go hog wild, you might not notice right away.
How Can I Protect a Network from a Possible AirBorne Worm?
Update the system software on all your mobile devices, first.
Mobile devices (smartphones and laptops) are generally exposed to more potential threats as they move around to different networks, and if they get infected, they would be more likely to spread a worm to other systems.
- Update your Apple Devices to the most recent operating system update. This includes iPhone, iPad, Apple TV, Mac, Apple Watch, and Vision Pro.
- Use the AirPort Utility app to disable AirPlay on the Apple AirPort Express WiFi base stations (used for any purpose).
- Look for firmware updates that specifically fix the AirBorn vulnerabilities for other devices that support AirPlay such as televisions, and smart speakers.
Partial Mitigation for AirPort Express: Connect to Ethernet LAN and Disable WiFi
This section was in the original document that went out via email and it's not correct.
The assumption here was that AirPlay on the AirPort Express was vulnerable to attack on the AirPlay peer-to-peer networking feature as describe in the Apple document: Use AirPlay with Apple Devices.
AirPort Express hardware was apparently designed before Apple planned the peer-to-peer feature of AirPlay 2, and the hardware lacks the Bluetooth radio necessary to do discovery and establish the peer to peer WiFi connection.
As a consequence, the AirPort Express doesn't need to be protected against the possible peer-to-peer attack, and the advice in this section below won't help.
AirPlay on AirPort Express WiFi base stations remains vulnerable to attack from devices connected to the same WiFi network.
— Incorrect! Ignore this section.—
If you're using an AirPort Express as a way to connect to a stereo via AirPlay, you can partly mitigate this risk by using the Airport Utility to turn off the WiFi in the AirPort Express.
Use the Ethernet connection to connect the device to your network. Devices walking by the front of your house won't be able to infect the appliance, since it won't be listening on the WiFi network. Note, though, that if another device on your wired LAN network were to get infected, AirPlay on the AirPort Express would still be vulnerable.
— end Incorrect guidance —
Television manufacturers that support AirPlay include (this is not a complete list):
Samsung
Sony
LG Smart TV
VISIO
Smart speakers, stereo receivers, and other devices made by these manufacturers (and others) include AirPlay:
BANG & OLUFSEN
BLUESOUND
BOSE
Bowers & Wilkins
DENON
harmon / kardon
IKEA
UBL
KEF
LIBRATONE
marantz
McIntosh
naim
SONOS
YAMAHA
You can find a complete list of manufactures that make AirPlay devices on Apple's AirPlay page.
For additional details on the AirBorne vulnerabilities in AirPlay, see this article by the security researchers at Oligo Security:
Wormable Zero-Click Remote Code Execution (RCE) in AirPlay Protocol Puts Apple & IoT Devices at Risk