Apple fixes critical eavesdropping vulnerability in Beats earbuds
What's the story
Apple has released a critical security update for its Beats Studio Buds wireless earbuds. The update addresses a high-severity vulnerability, CVE-2025-20701, that could have been exploited by nearby hackers to eavesdrop on users. The flaw allowed improper authentication in the firmware of Bluetooth-related chips, letting people within signal range impersonate previously paired devices and listen through their microphones.
Security advisory
An attacker could listen through the microphone
In a security advisory, Apple warned that an attacker within Bluetooth range could listen through the microphone of a device not yet paired and actively seeking pair requests. The company has released Beats Firmware Update 1B211 to fix the vulnerability. The update is automatically delivered when the headphones are paired with and within Bluetooth range of a user's iPhone, iPad, or Mac.
Vulnerability impact
The flaw affects devices using Airoha Bluetooth chips
CVE-2025-20701, which has a severity rating of 8.8 out of 10, was one of three vulnerabilities discovered by researchers Dennis Heinze and Frieder Steinmetz from security firm Insinuator. The flaws were linked to chips made by Airoha Systems. In response to the discovery, Airoha released an updated software development kit for affected hardware sellers.
Industry response
Other manufacturers have also patched their devices
Apple's patch for the Beats Studio Buds comes the same week that Jabra, another headphone manufacturer, announced patched versions of its devices. Manufacturers Bose and JBL have also confirmed that their devices have been updated with the fixes. The widespread response from these companies highlights the industry-wide impact of the security flaw linked to Airoha Systems's chips.
New threat
Earlier, researchers discovered similar vulnerabilities in Google Fast Pair
In January, researchers revealed WhisperPair, a set of vulnerabilities that lets an attacker hijack Bluetooth devices connected via Google Fast Pair. The flaws affect over a dozen devices from 10 manufacturers including Sony, Nothing, JBL, OnePlus, and Google itself. They not only allow eavesdropping but also geolocation of devices.