Risky Business #789 -- Apple's AirPlay vulns are surprisingly awful

On this week’s show Patrick Gray and Adam Boileau discuss the week’s cybersecurity news:

• British retail stalwart Marks & Spencer gets cybered

• South Korean telco sets out to replace all its subscriber SIMs after (we assume) it lost the keymat

• It’s a good exploit week! Bugs in Apple Airplay, SAP webservers, Erlang SSH and CommVault backups

• Juice jacking! No, really! Some researchers actually did it (so still not in the wild, then)

• Anti-DOGE whistleblower sure sounds like he has a point

This week’s episode is sponsored by Knocknoc, who let you glue your firewalls to your single sign on. Knocknoc’s CEO Adam Pointon talks about the joy that having end-to-end IPv6 would bring for zero-trust access control. He also touches on people using Knocknoc inside their network to isolate critical systems.

Editors Note : Pat also gives Adam (Boileau) stick in the sponsor interview about the Risky Biz webserver not having IPv6 enabled, which fact-checking during the edit says is FAKE NEWS. Just uh, don’t look at how fresh that AAAA record in the DNS is, friends 😉

This episode is also available on Youtube.

Show notes British retailer M&S confirms being hit by ‘cyber incident’ amid store delays | The Record from Recorded Future News M&S cyber-attack linked to hacking group Scattered Spider | Marks & Spencer | The Guardian Bina Puri shares, Warrant B close sharply lower day after hacking Bina Puri, Pos Malaysia tumble following hacking incident | FMT Japan warns of hundreds of millions of dollars in unauthorized trades from hacked accounts | The Record from Recorded Future News US conducts cyberattacks against major Chinese commercial encryption provider: report - Global Times Iran says major cyberattack on infrastructure repelled | Iran International Spain rules out cyber attack - but what could have caused power cut? South Korea's SK Telecom begins SIM card replacement after data breach AirBorne: Wormable Zero-Click RCE in Apple AirPlay Puts Billions of Devices at Risk | Oligo Security | Oligo Security iOS and Android juice jacking defenses have been trivial to bypass for years - Ars Technica How Android 16's new security mode will stop USB-based attacks - Android Authority Researchers warn of critical flaw found in Erlang OTP SSH | Cybersecurity Dive Critical vulnerability in SAP NetWeaver under threat of active exploitation | Cybersecurity Dive CVE-2025-31324: Critical SAP Flaw Explained | Strobes Fire In The Hole, We’re Breaching The Vault - Commvault Remote Code Execution (CVE-2025-34028) Risky Bulletin: NFC card malware keeps evolving in Russia, a bad omen for the future - Risky Business Media Hegseth had unsecured internet line in Pentagon for Signal, sources say | AP News Whistleblower: DOGE Siphoned NLRB Case Data – Krebs on Security 2025_0414_Berulis-Disclosure-with-Exhibits.s.pdf CISA gets a deputy director as it braces for major layoffs | Cybersecurity Dive Two top cyber officials resign from CISA | The Record from Recorded Future News Ex-CISA chief Chris Krebs leaving SentinelOne following Trump pressure | Reuters Former cyber official targeted by Trump speaks out after cuts to digital defense Top Tier Target | What It Takes to Defend a Cybersecurity Company from Today's Adversaries | SentinelOne ZachXBT on X: "Nine hours ago a suspicious transfer was made from a potential victim for 3520 BTC ($330.7M)"