Apple fixes Beats Studio Buds flaw that let hackers spy on conversations
Apple patched a high-severity Bluetooth vulnerability in Beats Studio Buds that could allow attackers within range to eavesdrop on conversations via the microphone.
Apple has released a firmware update to fix a high-severity vulnerability in Beats Studio Buds that could allow an attacker within Bluetooth range to secretly listen to users' conversations through the earbuds' microphone. The flaw, tracked as CVE-2025-20701, was disclosed by security researchers Dennis Heinze and Frieder Steinmetz of ERNW GmbH at the TROOPERS conference in Germany one year ago.
The vulnerability resides in the Airoha system-on-a-chip (SoC) used in the wireless earbuds. According to Apple's advisory, "An attacker within Bluetooth range may be able to listen through the microphone of a device which is not yet paired and actively seeking pair requests." The issue stems from a missing authentication weakness in the Bluetooth BR/EDR radio, allowing an unauthenticated attacker to hijack the connection.
The researchers also developed a proof-of-concept exploit that demonstrates how an attacker can initiate a call and eavesdrop on conversations within earshot of the targeted phone. When chained with two other vulnerabilities (CVE-2025-20700 and CVE-2025-20702) affecting the same component, the attack becomes more powerful. The attackers can use the Bluetooth Hands-Free Profile (HFP) to issue commands to the phone after hijacking the connection between the phone and a paired Bluetooth audio device.
"In most cases, these vulnerabilities allow attackers to fully take over the headphones via Bluetooth. No authentication or pairing is required," the researchers warned. "The vulnerabilities can be triggered via Bluetooth BR/EDR or Bluetooth Low Energy (BLE). Being in Bluetooth range is the only precondition. It is possible to read and write the device's RAM and flash."
The researchers were able to retrieve call history and contacts from a vulnerable device's memory, and even call an arbitrary number after extracting Bluetooth link keys. "The range of available commands depends on the mobile operating system, but all major platforms support at least initiating and receiving calls," they said, though they noted that "real attacks are complex to perform" and would likely target only high-value individuals due to the technical sophistication and physical proximity required.
Apple patched the vulnerability in Beats Firmware Update 1B211, which is automatically delivered to vulnerable headphones when they are paired and within Bluetooth range of the user's iPhone, iPad, or Mac. Users can check whether the firmware has been applied from the Bluetooth settings on their device by tapping the info button next to the headphones.
This disclosure highlights the growing attack surface of wireless audio devices, which are often overlooked in security patch management. As Bluetooth-enabled earbuds become ubiquitous, vulnerabilities that allow eavesdropping or device takeover pose significant privacy risks. Users are urged to ensure their Beats Studio Buds are updated to the latest firmware to prevent potential spying.