somebodyelse
Master Contributor
- Joined
- Dec 5, 2018
- Messages
- 6,021
- Likes
- 5,775
For details see https://www.oligo.security/blog/airborne - short version is that multiple issues were found allowing zero-click or 1-click remote code execution and bypassing access controls if the attacker is on the same network, then to spread from one to the next. Vulnerable devices were all the Apple ones using it, plus devices using Apple's SDK to implement AirPlay and CarPlay - so essentially anything with certified AirPlay or CarPlay support needs a firmware update to fix this. It was demonstrated on a Bose speaker because they already had one, not because it was unique to Bose. It's likely a lot of uncertified devices used Apple's SDK too.
What's not clear is whether 3rd party implementations from reverse engineering have the same problems. That means open source implementations as in the LMS plugin, Volumio, Moode etc. From what Roon have said that probably applies to them too. It may apply to other non-certified products.
Apple have already fixed it so if you have up to date OS or firmware you're OK. For anything else you'll have to check the details of any updates they release to see whether they've fixed it.
What's not clear is whether 3rd party implementations from reverse engineering have the same problems. That means open source implementations as in the LMS plugin, Volumio, Moode etc. From what Roon have said that probably applies to them too. It may apply to other non-certified products.
Apple have already fixed it so if you have up to date OS or firmware you're OK. For anything else you'll have to check the details of any updates they release to see whether they've fixed it.