Johansen Cracks AirPort Express Encryption

womby writes "DVD Jon has just announced that he cracked the encryption in Apple's AirPort Express. 'I've released JustePort, a tool which lets you stream MPEG4 Apple Lossless files to your AirPort Express. The stream is encrypted with AES and the AES key is encrypted with RSA.' No real details of the process employed in cracking the unit but newsworthy none the less."

huh, sounds solid...

[kippy (416183)]

Well it sounds like Apple did the right thing by using AES and RSA which are both industry standard and not some crazy "applecrypt" or something. Must be a really weak key or poor implementation or the protocol.

Re:huh, sounds solid...

[interiot (50685)]

What's NOT solid is the whole concept of selling products which contain the encrypt and decrypt keys to customers, and thinking that they're never going to be able to recover those keys from the product you just put in their hands.

Re:huh, sounds solid...

[k98sven (324383)]

whats more the question is why is Apple encrypting in the first place and why cant i disable it ?

Because Apple needs to stay friendly with the music industry, and that means the RIAA. They'd probably wouldn't mind skipping encryption altogether and saving a buck, but I doubt very many labels would support that scheme.

Re:huh, sounds solid...

[Stackster (454159)]

That would also mean that Apple really wouldn't care too much about someone breaking the encryption, although RIAA might force them to.

I just ordered an Airport Express, just to stream audio from my laptop (sucky speakers, can't stand a cable). If I can stream from other sources, great. Even better would be to have other units (any computer) act as "iTunes speakers".

Great News

[Rura Penthe (154319)]

This is great news. I want any application I own on any platform (OS X/Windows/Linux/Zeta!) to be capable of streaming to an Airport Express. I can't imagine that this would really upset Apple since you're still buying their hardware. It just lets you use the hardware with more applications. If iTunes is still the best and most elegant way, people will use that.

Of course...Apple isn't always logical like that, and there may be some precedent set that would injure them in court some time later.

Re:Great News

[foidulus (743482)]

Well, a potential abuse of this system could be wardriving with cannibal corpse. If crackers can figure out how to encrypt the songs, they can war drive around till they find an AE and play, "Entrails Ripped From a Virgin's Cunt" instead of the Seasame Street sings the family wanted to play. There are valid reasons to having this encrypted.
Also, the RIAA probably put some pressure on Apple to encrypt the songs. While I don't like piracy, the thought of someone driving around so they can download music that other people they don't know are listening to is very bizzare.

Re:Great News

[Kristoph (242780)]

The hack in question does not permit you to stream to the AE unless you have access to the network on which the AE resides. If you did gain access to that network in some way you could still engage in the "abuse" you mention through iTunes without this hack.

The point of the hack is to permit you to stream music from programs other than iTunes to an AE you have access to and not to hijack AE's.

]{

Re:Great News

[lysander (31017)]

I can't reach the website, but presumably this only works if you have access to the wireless network, so you'd have to break WPA/WEP as well (or find a sucker with an open network).

It's possible to password protect the audio aspect of the airport express separate from WPA/WEP. You can even leave the access point entirely open and still password protect access to the audio. The article's still unavailable, so it's unclear what exactly Jon cracked.

Re:Great News

[BobTheLawyer (692026)]

security through unavailability?

Re:Great News

[Rude Turnip (49495)]

You can use an Airport Express and never buy anything from iTMS or purchase an iPod...just use your own MP3 collection. All three hardware products depend upon iTunes, but neither hardware item requires the other to use.

To be honest, Apple's products become much more useful (and more desirable to purchase) when people come out with neat hacks like this. The only reason I spend big bucks in their music store is because the DRM has been broken through the Hymn project.

Re:Great News

[garcia (6573)]

To be honest, Apple's products become much more useful (and more desirable to purchase) when people come out with neat hacks like this.

The only thing that makes it more attractive is that Apple finds a way to close the hole exposed by John's (or his friends') hack and the RIAA continues to let Apple distribute their wares for a reduced price.

Once Apple cannot guarantee that the music is protected from "theft" then the RIAA will pull the plug on our "cheap" downloading.

Does anyone know Jon's doctor?

[Anonymous Coward]

I want to know if he really does have testicles made of brass.

Re:Does anyone know Jon's doctor?

[Tackhead (54550)]

> > I want to know if he really does have testicles made of brass.
>
> Not only are they made of brass, but he's got five of them.

I want to meet Jon's tailor. I hear he makes pants that fit like a glove.

Re:Does anyone know Jon's doctor?

[jandrese (485)]

Nice try, but Bzzzzt! [truthorfiction.com] Wrong answer. That expression was probably just as vulgar as it sounds.

This should be pretty cool

[sith (15384)]

Since all he got was the public key, you can't actually decrypt streams that are being sent. What it means is that programs can now stream music to the AEx. This should be really cool, especially once something like AudioHiJack or Wiretap comes along that lets you redirect all your system audio to it. I'd love to be able to stream non-iTunes audio formats that way (real player radio stations and whatnot). Anyways, can't see how this hurts apple - more people have incentive to use the AEx, Apple doesn't have to support their use of it that way, and the protected music is still protected. Hizzah?

Re:This should be pretty cool

[RadioheadKid (461411)]

RSA encrypted AES key

You answered your own question. RSA here means the RSA Public Key Cryptography Standard [rsasecurity.com] The AES key (which is a symmetrical cipher key) was encrypted using RSA PKCS.

WTF?

[Philosinfinity (726949)]

Maybe I missed something, and I haven't been able to RTFA for obvious reasons. But doesn't the Airport Express take any stream sent to it from iTunes 4.6 or greater? What I am getting at is, on my iBook, I should be able to stream any file that plays from iTunes to the Airport Express. So what did I miss? Is this the ability to do that from other programs on other platforms? If so, why does the poster pick out the ability to transfer Apple Lossless files?

Re:WTF?

[PsychoSpunk (11534)]

This is a proverbial "last mile" problem: How do I get any sound to the Airport Express? The known elements are that the Airport Express plays Apple Lossless streamed from the client computer running iTunes. So the solution to the "last mile" is to figure out how to stream any Apple Lossless file to the Airport Express and not rely on a specific program. The conversion to Apple Lossless is left as an exercise for the reader, as they say.

Re:WTF?

[IntergalacticWalrus (720648)]

> But doesn't the Airport Express take any stream sent to it from iTunes 4.6 or greater?

Not really, iTunes always converts streams to Apple Lossless format prior to sending it to an AE (which is most likely the only format the AE understands, obviously).

> So what did I miss? Is this the ability to do that from other programs on other platforms?

Yes, but of course this is going to be the dvdcss case all over again, where the industry will accuse Jon of having made this purely for pirating purposes.

Driver!

[nuxx (10153)]

Now all we need is some sort of software-based audio out driver for OS X (like Cycling 74 [cycling74.com]'s Soundflower [synthesisters.com]) which allows you to reroute OS X audio output to the Airport Express. This would be *ideal*, as then it'd be possible to stream audio from practically anything to your stereo. Digitally!

From the Site...

[Anonymous Coward]

So sue me
Jon Lech Johansen's blog
Wed, 11 Aug 2004
Reversing AirTunes

I've released JustePort, a tool which lets you stream MPEG4 Apple Lossless files to your AirPort Express.

The stream is encrypted with AES and the AES key is encrypted with RSA.

AirPort Express RSA Public Key, Modulus:
59dE8qLieItsH1WgjrcFRKj6eUWqi+bGLOX1HL3U 3GhC/j0Qg9 0u3sG/1CUtwC
5vOYvfDmFI6oSFXi5ELabWJmT2dKHzBJKa3k 9ok+8t9ucRqMd6 DZHJ2YCCLlDR
KSKv6kDqnw4UwPdpOMXziC/AMj3Z/lUVX1G7 WSHCAWKf1zNS1e Lvqr+boEjXuB
OitnZ/bDzPHrTOZz0Dew0uowxf/+sG+NCK3e QJVxqcaJ/vEHKI Vd2M+5qL71yJ
Q+87X6oV3eaYvt3zWZYD6z5vYTcrtij2VZ9Z mni/UAaHqn9Jds BWLUEpVviYnh
imNVvYFZeCXg/IdTQ+x4IRdiXNv5hEew==
Exponent: AQAB

MD5(JustePort-0.1.tar.gz) = fe13e96751958c6e9d57cce0caa7b17b

Re:From the Site...

[SiliconEntity (448450)]

This RSA public key can also be expressed in hex as:

000000 e7 d7 44 f2 a2 e2 78 8b 6c 1f 55 a0 8e b7 05 44
000010 a8 fa 79 45 aa 8b e6 c6 2c e5 f5 1c bd d4 dc 68
000020 42 fe 3d 10 83 dd 2e de c1 bf d4 25 2d c0 2e 6f
000030 39 8b df 0e 61 48 ea 84 85 5e 2e 44 2d a6 d6 26
000040 64 f6 74 a1 f3 04 92 9a de 4f 68 93 ef 2d f6 e7
000050 11 a8 c7 7a 0d 91 c9 d9 80 82 2e 50 d1 29 22 af
000060 ea 40 ea 9f 0e 14 c0 f7 69 38 c5 f3 88 2f c0 32
000070 3d d9 fe 55 15 5f 51 bb 59 21 c2 01 62 9f d7 33
000080 52 d5 e2 ef aa bf 9b a0 48 d7 b8 13 a2 b6 76 7f
000090 6c 3c cf 1e b4 ce 67 3d 03 7b 0d 2e a3 0c 5f ff
0000a0 eb 06 f8 d0 8a dd e4 09 57 1a 9c 68 9f ef 10 72
0000b0 88 55 dd 8c fb 9a 8b ef 5c 89 43 ef 3b 5f aa 15
0000c0 dd e6 98 be dd f3 59 96 03 eb 3e 6f 61 37 2b b6
0000d0 28 f6 55 9f 59 9a 78 bf 50 06 87 aa 7f 49 76 c0
0000e0 56 2d 41 29 56 f8 98 9e 18 a6 35 5b d8 15 97 82
0000f0 5e 0f c8 75 34 3e c7 82 11 76 25 cd bf 98 44 7b

a 2048 bit RSA public key. The exponent is hex 0x10001, which is decimal 65537, a very commonly used exponent for RSA encryption.

The fact that he just published the public but not private parts of the key suggests that Apple's product merely wants to see its input data encrypted with this key. I.e. anything encrypted with this key, it will play.

Normally a public key is just that, public, and available to anyone. It sounds like in this case Apple kept the key somewhat secret, and used knowledge of that public key as a form of authorization. Only Apple products knew the public key, so it would only play music from those products.

Now that the public key is published, anyone could encrypt data using it and get Apple's device to play the music.

Jon hasn't broken any encryption here. He has merely learned how to encrypt just like Apple does. It looks to me like the DMCA does not apply to this case.

Re:From the Site...

[codework (252361)]

As someone else who has recovered the public key from iTunes, I can say He did break a form of encryption. The public keys are encryped in itunes albit it with a very simple rolling xor algo.

There is actually table of 255 public keys encoded in itunes. This is just one of them.

Apple Responds Quickly...

[PetoskeyGuy (648788)]

...by posting a story to slashdot his website while their lawyers and henchmen race towards DVD Jon in a black supersonic jet straight out of X-Men. (yes I verbed slashdot, but I googled and seems to be ok to do now)

Seriously though, just hire the kid. Give him a 80 hour a week job and enough money he'll stick it out. No more spare time, no more cracks.

I don't see the threat to DRM media here...

[Lurch00 (56120)]

Can somebody explain to me how _this_ hack threatens the DRM protected content? AFAICT, itunes decrpyts the content, converts it to this lossless stream, reencrypts it to protect it in transit, and streams it to the AE. There's no threat to the DRM media here at all, since you have to have an unprotected source to start with.

The real threat is that somebody will take this and figure out how to fake being an AE, then you essentially have iTunes doing the work of defeating its own DRM for you. This would have the advantage (from a piracy standpoint) of being fairly hard for Apple to fix via "bug fix updates", unless they built a way to upgrade the AE firmware the same way. That's something I can see people getting into a tizzy about, but for this particular hack I think the useful purposes far outweigh the piracy ones.

Just a thought.

Must be a new definition of "cracked"

[DavyByrne (30170)]

Since when is using a publicly available public key to encrypt a stream of data from an application and send it to a device considered "cracking?" It seems to me that this is a good ol' hack (read: clever piece of software), just like DeCSS or the other thing he did with protected iTunes tracks.

I wasn't surprised that the first source I saw report this called it a "crack," but had hoped by the time the story made it to /. the error would be corrected.

By the way, you do a real disservice to people trying to fight the DMCA by calling things like this "cracks." Lawyers for the bad guys already think these sorts of hacks are actually illegal cracks. You're bolstering their opinion by conflating the two.

Legitimate uses for this

[Sturm (914)]

One of the things that dissapointed me about the AEx was the inability to stream to it from other audio sources. For instance... Living in Kentucky, I don't have a clear view of the southern sky so I can't get Direct TV, so I can't get NHL Center Ice, so I can't watch my beloved Colorado Avalanche. Luckily for me, nhl.com streams the radio broadcasts of all the games via Windows Media Player. That works great since I can listen to them on my Mac or my Windows box. We had an old laptop connected to the stereo and via wireless connection could listen to the games. After last season, the laptop died and after I heard about the AEx I thought that might be cheaper than buying a used laptop to replace the broken one. But obviously, you can't stream to the AEx from WMP, so I was out of luck. I know I can buy some other device to stream audio to the stereo but we do use iTunes on both our Macs and PCs so the AEx would fit well into our setup.
The point to this long, boring post is that *if* we could stream any audio source from any Mac/PC to our stereos, we would probably buy two or three AEx's. Apple gets my money for the hardware and I get my NHL fix and we are all happy (well, maybe not the Apple lawers but I'm sure they won't go hungry :)

Is this really a crack?

[mpaque (655244)]

It appears that he's just published the public key. That may allow him to ENCRYPT music for play over Airport Express, but it doesn't let him decrypt the stream.

Heck, I put a public key for mail in my .plan and sigs. I don't think that enables anyone to crack my mail. They can SEND me mail, but that's sort of the whole idea, isn't it?

Re:Lawyers, start your engines.

[garcia (6573)]

Of course they will, I don't even know why you bothered to mention it. The real question is will it fit under the provisions allowing for reverse engineering or will it fall under the category of malicious code breaking?

We all know what it should fall under. What category Apple's lawyers make it fall under is a different story.

Re:Lawyers, start your engines.

[chromaphobic (764362)]

Or, they'll just use their usual methodology and release a Software Update with some non-descript "bug-fixes" that happens to also break JustePort. :-)

Too bad...

[Kjella (173770)]

...there is no DMCA here :D Of course, once the EUCD is passed into law (sooner or later), it may be a problem.

Kjella

Re:Too bad...

[arcade (16638)]

Last time I spoke to Per (Jon's father), he told me that Jon has moved to France. Still no DMCA, but maybe the EUCD will come in play quite a bit faster down there than here in Norway.

Re:Too bad...

[zokum (650994)]

Yes, Norway is in fact the country implementing the EU-regulations the most (EU countries included) . We have a trade agreements etc with the EU, and we implement all the EU directives.

We really should have joined EU a long time ago, and I find it absurd to not be in it. One can only hope. :-)

If you want me to elaborate more, just reply, i can cite numerous examples, but I'd rather be on-topic to the post. But al in all, I agree with the grandparents post, it could smell trouble when the EU-DMCA comes into play....

Re:Stupid stupid stupid

[garcia (6573)]

He just doesn't give a shit for petty politics (DMCA crap).

Of course he doesn't care about the DMCA. He lives in another country.

Re:Why oh why?

[drinkypoo (153816)]

I mean, what next, B&O encrypting the output to speakers?

IIRC, Creative has considered doing just that. Creative had considered opening an online music store which was to be called MuVo - that name sound familiar? It would initially sell CDs ala CDNOW (the site was pretty similar, really, with some significant upgrades from that feature set of course) and then later move to digital downloads.

Naturally, Creative being what they are - a bunch of right bastards, if you want a driver or utility file especially - they were concerned about DRM. From what I understand, one idea that was seriously kicked around was a hardware device, probably USB speakers, being required to listen to the music. It is likely that the device would have had analog audio output, so you could put the music on a tape or something. It's the digital hole that labels want to close, they know they can't do anything about analog copying.

Re:Why oh why?

[ideonode (163753)]

they can't do anything about analog copying

Couldn't they encrypt the analog sound as it leaves the speakers, and give the user a DRM-enabled BabelFish?

Re:Why oh why?

[drinkypoo (153816)]

Try reading my comment again, more slowly. The analog hole is not closable. It quite simply cannot be done. For instance you could take an encrypted digital speaker set, and attenuate the signal going to the speakers down to a 0-1.5V P-P signal, aka "Line Level".

The digital hole is where you make a digital copy without degradation. The former motivation (besides ethics) for consumers to purchase commercial copies of media was quality. Now, with the ability to make a perfect digital copy, that motivation has gone away. Now it basically comes down to convenience and ethics. It's hard to feel too bad about taking some money away from a record label, and it's awfully convenient to just download music without paying for it. Hence the reason the record labels are pissing their corduroys.

He's not a big genius.

[Anonymous Coward]

Maybe it appears that way to the layman, but to other programmers and computer scientists, he's just doing what comes naturally.

Almost any good programmer can crack software. They just choose not to, or to keep quiet if they do. Jon is a skilled showman as well as a software cracker. Hey, he got his ass saved from jail by the EFF when all he was doing is fronting others code. Now he's pretty much bulletproof (he doesn't release compiled executables as that was the main DeCSS sticking point), it's only right that he should continue to champion fair use and stand against lazy attempts to be "DMCA compliant", by cracking pointless encryption schemes which only require a little reverse engineering to find the barely hidden key, not cryptanalysis.

I think Jon's doing us a real service, which I appreciate. I don't worship his genius, as he's only doing something I've done myself, albeit on much more media-friendly targets. He could just be cracking Safedisc games in relative anonymity for the same amount of intellectual effort, but instead he's hounding high-profile DRM schemes, starting with the weakest (Apple). Worship him if you want.

Re:He's not a big genius.

[aristotle-dude (626586)]

I don't think he is doing anyone a service. This is merely a way to inflate his ego. His actions could potentially ruin things for everyone. The Fairplay DRM is one of the fairest rights management systems out there as you can do anything you want with the music you buy except directly convert to a different format. Burning to CD is unlimited. What if his actions cause the music industry to loss confidence in that DRM?

What is the alternative? WMA? do you have unlimited burns? No? Do you have uniform rights across all songs? No. Can you play WMA in all players including the iPod? No. Ok this last point is equally bad for iTMS and WMA stores but I don't like WMA. iTMS does have one advantage however, it is compatible with both the mac and windows.

If Jon really was a genius and was trying to do the public a service, he would have cracked the WMA DRM. If he could come up with a way for me to be able to purchase songs on Napster (no iTMS in Canada yet) and being able to convert them to AAC format with EasyWMA to play on my mac and iPod, that would be useful to me.

Destroying iTMS is not useful to anyone. Apple's DRM is the lesser of the two evils and it's free enough for me since I don't run linux. Jon is an man with raw intellect but no common sense.

Re:He's not a big genius.

[snackeyes (804934)]

The Fairplay DRM is one of the fairest rights management systems out there

Doesn't change the fact that it's a DRM system and restricts Fair Use.

you can do anything you want with the music you buy except directly convert to a different format

Can I play the music on a set top box which supports MPEG4 AAC files? No, I can't. The DRM prevents me from playing my legally bought files. Unless I use iTunes that is. "Thou shall have no other players".

Music Industry?

[Otto (17870)]

What if his actions cause the music industry to loss confidence in that DRM?

LOL!

Understand this... The "music industry" is royally screwed seven ways from Sunday. They know it too, don't kid yourself otherwise.

See, they need *customers*.

In order to exist, the music industry has to convince people to buy what they are pushing. They're between a rock and a hard place here, because if they make that DRM too obnoxious, if they go beyond the line too much, then their own customers will flip them the bird and jump right back onto P2P networks. It's already happened once, in their eyes. Does the P2P scare back around 1998 ring a bell? Napster? Back when it didn't quite suck, I mean.

See, Napster opened a new world for the music industry, because it showed them that the world had changed and now they had to compete with "free". How in the hell does one compete with free products?

DRM is a reaction to this, by trying to make it difficult for people to convert their products into a format than can easily become "free". Unfortunately, this is an impossible task. It's *proven* to be impossible, no less. So they now have to not only compete with "free", but to do it, they have to do something that's absolutely and totally impossible to do. What a bind that puts them in, huh? :-)

The music industry is scared shitless, and with reason. This new medium takes their products and puts it into a form that:
a) damn near eliminates distribution costs,
b) makes low cost viral marketing into one of the most powerful forms of marketing there is through the rapid dissemination of the meme in question,
and c) eliminates all ability to control distribution of their product and thus be able to charge for it.

A and B they love, but C is included in the bargin and they cannot escape it. Furthermore, they're starting to figure out that the combination of A and B on a large enough scale eliminates the need for the middlemen in their business. Artist and customer can directly interact just as easily as middlemen and customers can. Since most of them are middlemen, this naturally makes them nervous. Right now, they're engaging in heavy media spending to combat this knowledge, leading to the current meme of "taking music without paying is stealing" and so on. They're engaging it on both the artist side and the customer side, and if both sides would just wake the hell up, the middlemen would be out of jobs.

So what I'm saying is that the idea that they can NOT offer their product on the internet is an unrealistic notion. They don't have that choice, not really.

If they don't offer something out there, in a light enough restriction no less, then what will happen is that they eventually die off. People will go back to passing around music for free, legislation and lawsuits be damned, they will find a way to do it safely if it comes down to it. Many very bright people are already looking for that way.

And if the artists see that the music companies aren't actively trying to make them some cash by selling their music online, the artists might start waking up en masse and seeing that the old system is unnecessary with the new technological capabilities to directly reach the customers.

So the music industry *will* sell online. They don't have a real choice not to do so anymore. They can no longer pack up their toys and go home, because that would be a losing move.

Re:What?

[Anonymous Coward]

DeCSS was indeed released by the group, MoRE, 4 years ago (MoRE had 3 members, you call that "large"?).

However, as far as I can tell Johansen no longer has any connections with MoRE. All the software on his site is GPL'ed and copyrighted by himself. MoRE is not mentioned anywhere.

Re:What?

[Anonymous Coward]

It's worth mentioning that Johansen is a member [videolan.org] of the open source VideoLAN project, which develops the libdvdcss library and VLC multimedia player.

He reverse engineered FairPlay [theregister.co.uk] and added FairPlay support [videolan.org] to VLC.

Together with the fact that all his recent software has been licensed under the GPL this indicates that he no longer has anything to do with any "cracking" groups.

Re:What does it means?

[Kristoph (242780)]

The point of the hack is to permit you to stream audio to an AE from a program other than iTunes.

]{

Re:Oh good

[nefele (654499)]

and they invest millions to make inexpensive music downloads available (at almost no profit)

No, they invest millions so they will get tens of millions in revenue from selling iPod. Don't get me wrong, I like Apple and I'm impressed by Steve Jobs's ability to resurrect the company, but it's still a company, not a charity.

iTMS is selling songs cheaply to gain market share and get people to buy iPods, not to make inexpensive music downloads available.

Re:Oh good

[Jeremy Erwin (2054)]

they didn't "invent" OS X, they stole it from BSD and overcharged for it. keep shelling out your $130 every year for a "secure" OS.

Darwin is free. Cocoa, Quartz, Carbon, and a number of other technologies that have nothing to do with BSD are not.

Re:Lossless?

[matthew.thompson (44814)]

MPEG4 is not a single standard - but a collection.

Among these there is a Lossless compression codec that Apple have put forward for inclusion into the MPEG4 collection.

Assuming he's right...

[Kjella (173770)]

...I suppose he's talking about the Apple lossless codec in a MPEG4 container format (it is more than just a video codec, you know...)

Kjella

Re:About DVD Jon...

[mr_z_beeblebrox (591077)]

He seems to be one of a handful of people who knows what the hell is going on.

Why would the US Government want someone who "knows what the hell is going on". Hell, who would manage him? What department would he report to? Come on, your country is run by a man who probably uses "12345" as the combination on his luggage (encrypted of course, with his Cap'n Crunch decoder ring)

Re:Why is Apple's encryption so weak?

[mmusson (753678)]

The strong encryption was not cracked. The implementation was cracked. No software-only based encryption is secure, period. The audio stream is encrypted with AES. AES is a symmetric key encryption sceme which means that both sides need the same key. The key needs to change over time or the encryption scheme can be cracked.

This leaves the problem of how iTunes can tell the Airport the new key without everyone else listening and knowing the key also. Apple use RSA to secure the key transfer. RSA is a public key encryption system. This means there are two keys one public and one private. The private key is only known by the Airport. The public key is embedded in the iTunes software.

When iTunes wants to send a new AES key to the Airport it uses the RSA public key to encrypt the AES key. This encrypted message can only be decryped with the private key that the Airport has which means the system is secure even though everyone hears the new key in encrypted form.

The problem is that the RSA public key is embedded in the iTunes code. But that code needs to read in the key in order to use it and someone can reverse engineer this process to read the key themselves. This isn't necessaryily an easy thing to do but in a software only solution there is no way to stop it.