According to his Website, Australian James Laird managed this feat by taking apart his girlfriend’s malfunctioning AirPort Express and examining the contents of its read-only memory (ROM), where the device stores its firmware.
This, in turn, yielded the cryptographic keys that the company uses to protect the content streamed via AirPlay. Compatible devices need those keys both in order to identify themselves to any copy of iTunes running on a network and to decrypt the audio that is streamed to them; as a result, the keys are closely guarded by Apple, which normally only hands them over to licensed accessory manufacturers.
Armed with the keys, Laird was able to write a simple app, which he called ShairPort, that essentially makes a computer appear to be an AirPort Express, tricking any copy of iTunes running on the local network into letting you stream audio to that computer.
In its current state, the app is far from user-friendly, and requires a considerable amount of technical know-how to install and run, making it well outside the reach of the average user. However, Laird’s discovery technically makes it possible for anyone to write AirPlay-compatible software without requiring Apple’s consent or paying any licensing fees.
This is significant for two reasons. First, it could conceivably pave the way for a number of innovative products that take advantage of AirPlay in ways hitherto unimagined by either Apple or its manufacturing partners. And second, it would make it trivial for anyone to write an emulator that, instead of playing the music streamed, simply saved the information to disk. Granted, music on iTunes has now been DRM-free for a while, which may not make that issue a pressing concern.
It’s unclear how Apple will respond to Laird’s discovery. One possibility would be for the company to simply change the digital keys used by the AirPort Express, a feat that could be easily accomplished by issuing updates for the router’s firmware and iTunes.
However, that will only work if Apple engineers have assigned a different set of keys to every kind of device that supports AirPlay; if the company is using the same keys for all devices that support AirPlay, then third party vendors will have to upgrade the firmware on their products as well—that could potentially break some third-party devices, if the firmware can’t be upgraded with the new keys.
Furthermore, even if Apple does change the keys, finding the new ones would require nothing more than another hacker with a sacrificial AirPort and some spare time at their disposal.
Another option would be to pursue Laird in a court of law to get him to withdraw his app from circulation, but by this point the source code to ShairPort has likely been extensively downloaded and copied. Thus, even though Apple could probably get Laird to comply, it’s likely too late to prevent the app from reaching the public at large.
Ultimately, Apple’s optimal solution might be to leave things the way they are. The company could look the other way for “homebrew” AirPlay-compatible apps while clamping down on commercial vendors, requiring them to pay a royalty in order to use the streaming technology into their products.
Doing so could greatly increase the popularity of AirPlay by fostering a vibrant ecosystem and result in greater market penetration and revenues for the company in the long run.