- Apple patches CVE‑2025‑20701, a high‑severity Bluetooth flaw in Beats Studio Buds enabling eavesdropping within range
- Researchers showed attackers could chain related bugs to hijack headphones, issue phone commands, and read/write device memory
- Fixed in Beats Firmware Update 1B211, auto‑installed when pairing with iPhone, iPad, or Mac
Apple has fixed a high-severity vulnerability in its Beats Studio Buds wireless earbuds that allowed threat actors to eavesdrop on people’s conversations if they were in Bluetooth range.
The vulnerability was discovered in 2025 by security researchers Dennis Heinze and Frieder Steinmetz of ERNW. It has been assigned CVE-2025-20701 and was given a severity score of 8.8/10 (high).
The researchers explained it stemmed from a missing authentication weakness in the Bluetooth BR/EDR radio, and also published a proof-of-concept (PoC) exploit that showed how malicious actors might initiate a call and listen in on people’s conversations, as long as they were within Bluetooth range.
Issuing a patch
"In most cases, these vulnerabilities allow attackers to fully take over the headphones via Bluetooth. No authentication or pairing is required," they said. "The vulnerabilities can be triggered via Bluetooth BR/EDR or Bluetooth Low Energy (BLE). Being in Bluetooth range is the only precondition. It is possible to read and write the device’s RAM and flash."
They also managed to pull the call history, stored contacts, and even succeeded in calling a number, after extracting the Bluetooth link keys from a vulnerable device’s memory.
"The range of available commands depends on the mobile operating system, but all major platforms support at least initiating and receiving calls," they said, but added that "real attacks are complex to perform" and should likely target only high-value targets because they require technical sophistication and physical proximity.
The team also showed it was possible to chain this vulnerability with two other ones impacting the same component (CVE-2025-20700 and CVE-2025-20702), to use the Bluetooth Hands-Free Profile (HFP) to issue commands to the phone.
Apple has now released a new security advisory, confirming it released a fix for the flaw.
“An attacker within Bluetooth range may be able to listen through the microphone of a device which is not yet paired and actively seeking pair requests,” the advisory reads. “This is a vulnerability in open-source code and Apple Software is among the affected projects. The CVE-ID was assigned by a third party.”
Apple fixed the bug in Beats Firmware Update 1B211, which will be automatically installed next time users pair their headphones with their iPhone, iPad, or mac devices.
Via BleepingComputer
Follow TechRadar on Google News and add us as a preferred source to get our expert news, reviews, and opinion in your feeds.
English (US) ·