9to5Mac Security Bite is exclusively brought to you by Mosyle, the only Apple Unified Platform. Making Apple devices work-ready and enterprise-safe is all we do. Our unique integrated approach to management and security combines state-of-the-art Apple-specific security solutions for fully automated Hardening & Compliance, Next Generation EDR, AI-powered Zero Trust, and exclusive Privilege Management with the most powerful and modern Apple MDM on the market. The result is a totally automated Apple Unified Platform currently trusted by over 45,000 organizations to make millions of Apple devices work-ready with no effort and at an affordable cost. Request your EXTENDED TRIAL today and understand why Mosyle is everything you need to work with Apple.

This week, I want to share a fascinating talk I came across on social media about an Apple service that doesn’t seem to get as much attention in the community: CarPlay. While Apple has not publicly disclosed the exact number of CarPlay users, I’d venture to say it’s one of its most used services. And one of the biggest concerns is anything that could compromise driver safety or privacy. So, how secure is CarPlay?

At the TROOPERS24 IT conference in Heidelberg, Germany, security researcher Hannah Nöttgen presented a talk cleverly titled “Apple CarPlay: What’s Under the Hood.” In this session, Nöttgen delved into CarPlay’s basic security architecture to evaluate how secure the service really is. She explained that CarPlay relies on two primary protocols: Apple’s proprietary IAPv2 (iPod Accessory Protocol version 2) for authentication and AirPlay for media streaming. Together these enable the seamless experience we’ve all come to love, letting drivers access messages, calls, music, order Chick-fil-A, and other features without having to unlock their phones.

But this convenience comes with some risks.

During her analysis, Nöttgen explored several attack vectors, focusing on the risks of unauthorized access to personal information, which could threaten driver privacy and safety. While CarPlay’s authentication system is quite hardened to prevent replay attacks, Nöttgen found other vectors like DoS attacks targeting any wireless third-party AirPlay adapters remained possible, albeit difficult to execute, but possible.

Another interesting layer is Apple’s tight control over CarPlay hardware through its Made for iPhone (MFi) program. All certified CarPlay devices are required to include an Apple authentication chip, which car manufacturers pay to integrate into their vehicles. While Apple’s closed ecosystem has faced criticism for limiting third-party access, it also creates a significant hurdle for would-be attackers. To launch a sophisticated attack, such as extracting the private key, an actor would need physical access to the MFi chip.

Nöttgen concluded her talk by pointing out areas that need further exploration, such as potential methods for extracting private keys and conducting more comprehensive testing of CarPlay’s protocols. Her concern is that if attackers could obtain these keys, they might intercept and decrypt sensitive information.

Unfortauntely, the proprietary nature of both IAPv2 and Apple’s implementation of AirPlay makes independent security verification rather challenging. I highly encourage readers to take a lot at Hannah Nöttgen’s talk below, it’s rather interesting and fun!

You can download the full presentation here.

About Security Bite: Security Bite is a weekly security-focused column on 9to5Mac. Every week, Arin Waichulis delivers insights on data privacy, uncovers vulnerabilities, or sheds light on emerging threats within Apple’s vast ecosystem of over 2 billion active devices to help you still safe.

Follow Arin: Twitter/X, LinkedIn, Threads

9to5Mac Security Bite is exclusively brought to you by Mosyle, the only Apple Unified Platform. Making Apple devices work-ready and enterprise-safe is all we do. Our unique integrated approach to management and security combines state-of-the-art Apple-specific security solutions for fully automated Hardening & Compliance, Next Generation EDR, AI-powered Zero Trust, and exclusive Privilege Management with the most powerful and modern Apple MDM on the market. The result is a totally automated Apple Unified Platform currently trusted by over 45,000 organizations to make millions of Apple devices work-ready with no effort and at an affordable cost. Request your EXTENDED TRIAL today and understand why Mosyle is everything you need to work with Apple.

This week, I want to share a fascinating talk I came across on social media about an Apple service that doesn’t seem to get as much attention in the community: CarPlay. While Apple has not publicly disclosed the exact number of CarPlay users, I’d venture to say it’s one of its most used services. And one of the biggest concerns is anything that could compromise driver safety or privacy. So, how secure is CarPlay?

At the TROOPERS24 IT conference in Heidelberg, Germany, security researcher Hannah Nöttgen presented a talk cleverly titled “Apple CarPlay: What’s Under the Hood.” In this session, Nöttgen delved into CarPlay’s basic security architecture to evaluate how secure the service really is. She explained that CarPlay relies on two primary protocols: Apple’s proprietary IAPv2 (iPod Accessory Protocol version 2) for authentication and AirPlay for media streaming. Together these enable the seamless experience we’ve all come to love, letting drivers access messages, calls, music, order Chick-fil-A, and other features without having to unlock their phones.

But this convenience comes with some risks.

During her analysis, Nöttgen explored several attack vectors, focusing on the risks of unauthorized access to personal information, which could threaten driver privacy and safety. While CarPlay’s authentication system is quite hardened to prevent replay attacks, Nöttgen found other vectors like DoS attacks targeting any wireless third-party AirPlay adapters remained possible, albeit difficult to execute, but possible.

Another interesting layer is Apple’s tight control over CarPlay hardware through its Made for iPhone (MFi) program. All certified CarPlay devices are required to include an Apple authentication chip, which car manufacturers pay to integrate into their vehicles. While Apple’s closed ecosystem has faced criticism for limiting third-party access, it also creates a significant hurdle for would-be attackers. To launch a sophisticated attack, such as extracting the private key, an actor would need physical access to the MFi chip.

Nöttgen concluded her talk by pointing out areas that need further exploration, such as potential methods for extracting private keys and conducting more comprehensive testing of CarPlay’s protocols. Her concern is that if attackers could obtain these keys, they might intercept and decrypt sensitive information.

Unfortauntely, the proprietary nature of both IAPv2 and Apple’s implementation of AirPlay makes independent security verification rather challenging. I highly encourage readers to take a lot at Hannah Nöttgen’s talk below, it’s rather interesting and fun!

You can download the full presentation here.

About Security Bite: Security Bite is a weekly security-focused column on 9to5Mac. Every week, Arin Waichulis delivers insights on data privacy, uncovers vulnerabilities, or sheds light on emerging threats within Apple’s vast ecosystem of over 2 billion active devices to help you still safe.

Follow Arin: Twitter/X, LinkedIn, Threads