Risky Business #789 -- Apple's AirPlay vulns are surprisingly awful

On this week’s show Patrick Gray and Adam Boileau discuss the week’s cybersecurity news:

• British retail stalwart Marks & Spencer gets cybered
• South Korean telco sets out to replace all its subscriber SIMs after (we assume) it lost the keymat
• It’s a good exploit week! Bugs in Apple Airplay, SAP webservers, Erlang SSH and CommVault backups
• Juice jacking! No, really! Some researchers actually did it (so still not in the wild, then)
• Anti-DOGE whistleblower sure sounds like he has a point

This week’s episode is sponsored by Knocknoc, who let you glue your firewalls to your single sign on. Knocknoc’s CEO Adam Pointon talks about the joy that having end-to-end IPv6 would bring for zero-trust access control. He also touches on people using Knocknoc inside their network to isolate critical systems.

Editors Note : Pat also gives Adam (Boileau) stick in the sponsor interview about the Risky Biz webserver not having IPv6 enabled, which fact-checking during the edit says is FAKE NEWS. Just uh, don’t look at how fresh that AAAA record in the DNS is, friends 😉

This episode is also available on Youtube.

Show notes

• British retailer M&S confirms being hit by ‘cyber incident’ amid store delays | The Record from Recorded Future News
• M&S cyber-attack linked to hacking group Scattered Spider | Marks & Spencer | The Guardian
• Bina Puri shares, Warrant B close sharply lower day after hacking
• Bina Puri, Pos Malaysia tumble following hacking incident | FMT
• Japan warns of hundreds of millions of dollars in unauthorized trades from hacked accounts | The Record from Recorded Future News
• US conducts cyberattacks against major Chinese commercial encryption provider: report - Global Times
• Iran says major cyberattack on infrastructure repelled | Iran International
• Spain rules out cyber attack - but what could have caused power cut?
• South Korea's SK Telecom begins SIM card replacement after data breach
• AirBorne: Wormable Zero-Click RCE in Apple AirPlay Puts Billions of Devices at Risk | Oligo Security | Oligo Security
• iOS and Android juice jacking defenses have been trivial to bypass for years - Ars Technica
• How Android 16's new security mode will stop USB-based attacks - Android Authority
• Researchers warn of critical flaw found in Erlang OTP SSH | Cybersecurity Dive
• Critical vulnerability in SAP NetWeaver under threat of active exploitation | Cybersecurity Dive
• CVE-2025-31324: Critical SAP Flaw Explained | Strobes
• Fire In The Hole, We’re Breaching The Vault - Commvault Remote Code Execution (CVE-2025-34028)
• Risky Bulletin: NFC card malware keeps evolving in Russia, a bad omen for the future - Risky Business Media
• Hegseth had unsecured internet line in Pentagon for Signal, sources say | AP News
• Whistleblower: DOGE Siphoned NLRB Case Data – Krebs on Security
• 2025_0414_Berulis-Disclosure-with-Exhibits.s.pdf
• CISA gets a deputy director as it braces for major layoffs | Cybersecurity Dive
• Two top cyber officials resign from CISA | The Record from Recorded Future News
• Ex-CISA chief Chris Krebs leaving SentinelOne following Trump pressure | Reuters
• Former cyber official targeted by Trump speaks out after cuts to digital defense
• Top Tier Target | What It Takes to Defend a Cybersecurity Company from Today's Adversaries | SentinelOne
• ZachXBT on X: "Nine hours ago a suspicious transfer was made from a potential victim for 3520 BTC ($330.7M)"