I'm not aware of any serious vulnerabilities for AirPort routers. They run a pretty clean version of NetBSD with very few services. However, there are some internal Apple services (presumably written in C) running on the router to facilitate configuration, AirPlay, Back to my Mac, Time Machine, and maybe others.
The minor things I know offhand:
- The old configuration protocol transmits your password (and everything else) in pretty much plain-text, which can be theoretically intercepted by someone connected to your network (and anyone listening when you set it up for the first time). I think the newest configuration protocol uses Secure Remote Password, but I don't know if anyone's audited their implementation.
- When new AirPort routers first come online, they broadcast a public open WiFi hotspot to allow wireless setup. This can be accessed by anyone within range. An attacker could make a device (say, a WiFi Pineapple) automatically connect to every AirPort it sees and configure it maliciously. Using only public information, you mostly be able to annoy the owner (maybe intercept some traffic by updating their DNS settings). I won't rule out someone dropping a rootkit on your router during the open configuration period, but the simplest method (a firmware update) at this point will cause the router to reboot so it's at least a bit conspicuous.
The minor things I know offhand:
- The old configuration protocol transmits your password (and everything else) in pretty much plain-text, which can be theoretically intercepted by someone connected to your network (and anyone listening when you set it up for the first time). I think the newest configuration protocol uses Secure Remote Password, but I don't know if anyone's audited their implementation.
- When new AirPort routers first come online, they broadcast a public open WiFi hotspot to allow wireless setup. This can be accessed by anyone within range. An attacker could make a device (say, a WiFi Pineapple) automatically connect to every AirPort it sees and configure it maliciously. Using only public information, you mostly be able to annoy the owner (maybe intercept some traffic by updating their DNS settings). I won't rule out someone dropping a rootkit on your router during the open configuration period, but the simplest method (a firmware update) at this point will cause the router to reboot so it's at least a bit conspicuous.
Also see this comment: https://news.ycombinator.com/item?id=8441500