Apple patches Beats bug that let hackers eavesdrop via Bluetooth
Key Takeaways
- CVE-2025-20701 allowed attackers within Bluetooth range to access the microphone on unpaired Beats Studio Buds
- Apple's firmware update 1B211 patches the vulnerability and installs automatically when earbuds are paired with an iPhone, iPad, or Mac
- The flaw originates from Airoha SoC open-source code, highlighting supply chain security risks in consumer electronics
Apple has patched a high-severity vulnerability in Beats Studio Buds that allowed attackers within Bluetooth range to listen through the earbuds' microphone, even on devices that had never been paired. The flaw, tracked as CVE-2025-20701, required no authentication. It affected earbuds actively seeking pairing connections.
The fix arrives in Beats Firmware Update 1B211, which Apple began rolling out Tuesday. The update installs automatically when affected earbuds connect to an iPhone, iPad, or Mac over Bluetooth. Users can verify the firmware version in their device's Bluetooth settings by tapping the info button next to the headphones.
What made this Bluetooth flaw dangerous?
Security researchers Dennis Heinze and Frieder Steinmetz of German firm ERNW GmbH discovered the vulnerability in chips made by Airoha, a Taiwanese semiconductor company. The flaw sits in the Bluetooth BR/EDR radio stack and stems from missing authentication checks. An attacker does not need to pair with the target device. They just need to be within Bluetooth range, roughly 10 meters in most conditions.
“An attacker within Bluetooth range may be able to listen through the microphone of a device which is not yet paired and actively seeking pair requests.”
— Apple Security Advisory
ERNW disclosed the vulnerability a year ago at the TROOPERS security conference in Germany. They built a proof-of-concept exploit demonstrating how an attacker could initiate a phone call and eavesdrop on conversations within earshot of the target's phone. The researchers also showed they could read currently playing media from vulnerable devices.
Chaining flaws for deeper access
The risk grows when CVE-2025-20701 is combined with two related vulnerabilities, CVE-2025-20700 and CVE-2025-20702. Together, these flaws let attackers hijack the connection between a phone and paired Bluetooth audio device. From there, they can issue commands via the Bluetooth Hands-Free Profile.
ERNW warned that the combined attack grants full control over the headphones. Attackers could read and write to the device's RAM and flash memory. They demonstrated extracting Bluetooth link keys, which enabled them to retrieve call history, access contacts, and even dial arbitrary numbers.
"In most cases, these vulnerabilities allow attackers to fully take over the headphones via Bluetooth. No authentication or pairing is required," the researchers wrote. The attack works over both Bluetooth BR/EDR and Bluetooth Low Energy.
Practical risk: who should worry?
ERNW noted that real-world exploitation is "complex to perform." The attacker needs physical proximity and technical skill. This limits the threat primarily to high-value targets: executives, journalists, activists, or anyone whose conversations justify the effort.
For most users, the firmware update eliminates the risk entirely. The automatic delivery means anyone who regularly uses their Beats with an Apple device should already be protected or will be shortly.
Supply chain blind spots in consumer hardware
Apple acknowledged in its advisory that the vulnerability originated in open-source code. The CVE was assigned by a third party, not Apple. This points to a recurring problem: consumer electronics rely on components from multiple vendors, and a flaw in one supplier's code can ripple across products from different brands.
Airoha supplies system-on-chip components to multiple headphone manufacturers. Apple's Beats line happened to be among the affected products. The incident underscores why firmware updates for peripherals matter as much as OS updates. Wireless earbuds, smartwatches, and fitness trackers all run code that can contain exploitable bugs.
How to verify your Beats firmware is updated
- Pair your Beats Studio Buds with your iPhone, iPad, or Mac
- Open Settings and tap Bluetooth
- Find your Beats in the list of connected devices
- Tap the info (i) button next to the device name
- Check that the firmware version shows 1B211 or later
If the update has not yet applied, keep your earbuds paired and connected. The firmware should download automatically in the background.
Logicity's Take
This patch closes a real hole, but the year-long gap between ERNW's disclosure at TROOPERS and Apple's fix raises questions. For a company that markets privacy as a feature, that timeline is slow. The deeper issue is that Apple, like every hardware maker, depends on third-party silicon. Until supply chain security auditing becomes standard, these kinds of surprises will keep surfacing in products consumers assume are locked down.
Frequently Asked Questions
Did attackers actually exploit this Beats vulnerability in the wild?
Neither Apple nor ERNW has reported any known exploitation. The researchers demonstrated the flaw with a proof-of-concept, but the attack's complexity makes opportunistic use unlikely.
Are other Bluetooth headphones affected by CVE-2025-20701?
Potentially. The flaw exists in Airoha's system-on-chip, which other manufacturers also use. Check with your headphone brand for security advisories.
Do I need to update my Beats manually?
No. Firmware 1B211 installs automatically when your Beats Studio Buds are paired and in Bluetooth range of your Apple device.
Can this vulnerability be exploited remotely over the internet?
No. The attacker must be within Bluetooth range, typically about 10 meters. This is a proximity-based attack.
Should I stop using Beats until the update installs?
The risk is low for most users given the attack's complexity. To be safe, avoid leaving your earbuds in discoverable mode in public spaces until you confirm the update.
More on Apple's current hardware and supply chain pressures
Need Help Implementing This?
If your organization needs guidance on Bluetooth security policies, firmware management for corporate devices, or IoT vulnerability assessments, reach out to our team at Logicity.in for expert recommendations tailored to your environment.
Source: BleepingComputer
Huma Shazia
Senior AI & Tech Writer
Related Articles
Browse all
Kraken Crypto Exchange Extortion: Hackers Threaten to Leak Internal Videos After Insider Breach
Cryptocurrency exchange Kraken is being extorted by hackers who obtained videos of internal systems through bribed support employees. The company says no funds were compromised and refuses to pay, with only about 2,000 accounts affected. Kraken is working with federal law enforcement to prosecute everyone involved.
Windows 11 KB5083769 and KB5082052: April 2026 Patch Tuesday Brings Smart App Control Changes and Security Fixes
Microsoft's April 2026 Patch Tuesday updates are now live for Windows 11, bringing critical security patches alongside a welcome change to Smart App Control. You can finally toggle SAC on or off without wiping your entire system. The updates cover versions 23H2, 24H2, and 25H2.
Zero Trust Identity Security: 5 Ways This Framework Actually Stops Credential Theft
Stolen credentials caused 22% of breaches in 2025, making them the top attack vector. Zero Trust promises to fix this, but only when it's built around identity as the core principle. Here's how organizations can implement it properly.
Open Source PR Backlogs: Why Your GitHub Contribution Sits Unreviewed for a Year
A developer's Jellyfin pull request has been waiting over a year for merge despite two approvals, exposing a systemic crisis in open source maintenance. Queuing theory explains why backlogs grow exponentially, and 60% of maintainers have quit or considered quitting due to burnout.
