An independent developer has cracked the private key used in Apple's AirPort Express to stream music to approved speakers, potentially allowing third-party software and hardware to receive AirPlay streams without paying Apple's licensing fee. Developer James Laird has released his work as an open source project called ShairPort. While still in its early stages, the project could upset Apple if anyone besides home tinkerers decide to make use of it.

Laird was able to find the private key after reverse engineering his girlfriend's defunct AirPort Express. From there, he wrote ShairPort to emulate the Airport Express—this enabled him to set up other computers to receive streamed music from iTunes or iOS devices. According to the ShairPort v0.02 documentation, the software implements a server to receive Apple's RAOP protocol, and can "probably" support multiple simultaneous streams. Users can even edit the Perl files to set a password for the stream so that only approved devices can connect.

Why is this significant? As noted in a comment on Hacker News, the Airport Express uses both a public key and a private key in order to process music streams. The public key is obviously public (after Jon Lech Johansen, aka DVD Jon, reverse engineered it in 2004), allowing third parties to write software that streams audio to the AirPort Express—Airfoil by Rogue Amoeba is one of the most well known examples of this.

The private key, however, has been strictly limited to Apple and companies that license AirPlay from Apple in order to pass those audio streams onto approved third-party speakers. With the introduction of ShairPort, however, users can send iTunes or iOS audio streams to other (unapproved) devices, such as an HTPC or another computer. Potentially, a speaker maker could try to utilize the private key in order to receive AirPlay streams without Apple's approval.

This is the main reason why Apple might move to shut down Laird's project, especially if it has reason to believe it might lose out on some revenue. Even without that element, though, Apple has seldom been keen on users reverse engineering its other technologies. In 2008, Apple sent a DMCA notice to the iPodhash project, arguing that attempts to reverse-engineer the iPhone 2.0 hash count was circumvention of its FairPlay DRM. Then in 2009, Apple made a number of legal threats against BluWiki, which hosted instructions on how to use an iPod or iPhone with third-party devices by messing with the iTunesDB (essentially the same goal as the iPodhash project).

Apple eventually stopped using the code in question and dropped its objection to the iTunesDB pages, but that doesn't mean the company won't refocus its efforts on the new hot thing: ShairPort. There are already calls for Apple to leave ShairPort alone (read that in a Chris Crocker voice).

Apple did not respond to our request for comment by publication time.