CybersecurityHacking

Apple Patches Beats Studio Buds Flaw That Lets Hackers Eavesdrop via Microphone

Analyst 207||Source: TheHackerNews
Close-up of Beats Studio Buds earbuds on a neutral surface, highlighting vulnerability.

"An attacker within Bluetooth range may be able to listen through the microphone of a device which is not yet paired and actively seeking pair requests," Apple said in an advisory released this week.

Apple patches Beats Studio Buds with Firmware 1B211

Apple has released Beats Firmware Update 1B211 to address a high-severity vulnerability in Beats Studio Buds that could allow nearby attackers to eavesdrop via the earbuds' microphone. The flaw is tracked as CVE-2025-20701 and carries a CVSS score of 8.8. According to Apple, the underlying problem is an incorrect authorization issue in the Airoha Bluetooth audio SDK that can permit pairing a Bluetooth audio device without user consent.

How CVE-2025-20701 can be exploited

Apple's advisory describes a chain that requires only proximity: "An attacker within Bluetooth range may be able to listen through the microphone of a device which is not yet paired and actively seeking pair requests." The vulnerability can lead to "remote escalation of privilege without requiring any additional execution privileges or user interaction," the company said. In short, the exploit does not require the targeted device to accept pairing prompts or otherwise interact with the attacker beyond being within Bluetooth range.

ERNW's Airoha SoC research and the broader set of flaws

Details of the Airoha-family problems first emerged in June 2025 when ERNW GmbH researchers Dennis Heinze and Frieder Steinmetz flagged CVE-2025-20701 alongside two companion flaws, CVE-2025-20700 and CVE-2025-20702, at the TROOPERS security conference in Germany. The researchers wrote that "in most cases, these vulnerabilities allow attackers to fully take over the headphones via Bluetooth. No authentication or pairing is required," and that the vulnerabilities can be triggered via Bluetooth BR/EDR or Bluetooth Low Energy (BLE).

ERNW noted the range of capability the flaws grant: "Being in Bluetooth range is the only precondition. It is possible to read and write the device’s RAM and flash." The researchers also warned those capabilities let attackers "hijack established trust relationships with other devices, such as the phone paired to the headphones," enabling multiple attack scenarios. Jabra deployed similar patches in December 2025 for its affected products.

Parallel: Paradigm Shift's usbliter8 SecureROM exploit on A12 and A13

Separately, Paradigm Shift disclosed a novel SecureROM (BootROM) vulnerability impacting Apple A12 and A13 chips and published a proof-of-concept exploit codenamed usbliter8. The company said the exploit "leverages both a hardware bug in the USB controller and a specific configuration flaw present in the device firmware." Paradigm Shift described a technical path to code execution that begins with the USB controller's handling of SETUP and OUT packets: the controller stores packet data in a memory buffer and also accepts smaller packets, which the researchers say allows them to trigger a buffer underflow primitive.

Paradigm Shift stated the result is effectively a way to inject and execute malicious code under certain conditions. The firm emphasized the likely hardware root cause: "The problem... is likely rooted in the USB controller hardware itself, not in Apple's software." The researchers compared usbliter8 to checkm8 and warned that "even on more recent SecureROM generations, including those protected by Pointer Authentication, subtle hardware bugs can still be leveraged to achieve full code execution and break the chain of trust."

Paradigm Shift confirmed that A11 is not susceptible, while A12 and A13 are. The company said A14 and later generations appear to configure the USB DART correctly in SecureROM, "making the vulnerability unexploitable" on those chips. Paradigm Shift also cautioned that although usbliter8 "doesn't affect SEP itself, it opens up wider attack vectors to compromise the Secure Enclave." The firm recommended that affected users consider hardware migration as the most effective mitigation: "migrating to newer hardware remains the most effective mitigation."

What this means for technologists, end users, and procurement leaders

  • Technologists and security teams: apply Beats Firmware Update 1B211 to affected Studio Buds devices and review inventories for other Airoha-based peripherals; note ERNW's reporting that these vulnerabilities can allow reading and writing of RAM and flash and can be triggered via BR/EDR or BLE.
  • End users and the general public: users of Beats Studio Buds should install Firmware 1B211 promptly to close an exploit path that can enable remote listening without pairing consent.
  • Procurement and device managers: consider vendor provenance for Bluetooth audio SoCs and track remediation timelines—Jabra issued similar patches in December 2025, and Apple has patched Beats Studio Buds with 1B211.

Two threads run through these disclosures. One is firmware-level: vendors must push and users must apply updates such as Beats Firmware 1B211 to neutralize active pairing and microphone-exposure paths. The other is architectural: vulnerabilities rooted in immutable hardware or SecureROM code, like Paradigm Shift's usbliter8 affecting A12 and A13, can persist beyond software updates and, as the researchers stated, make newer hardware migration the most effective mitigation. For now, Apple has issued the Beats firmware update and Paradigm Shift has published technical findings and a PoC; affected users and administrators have concrete patches and hard decisions to act on.

https://thehackernews.com/2026/06/apple-patches-beats-studio-buds-flaw.html

AppleEmerging ThreatsVulnerabilityCVE-2025-20701Beats Studio BudsBluetoothEavesdroppingFirmware 1B211Wireless Audio Security
Related Intelligence

Continue Reading

Rows of network equipment and cables in a well-lit server room with a central server or hardware appliance.

F5 Fixes Flaws in NGINX Open Source Enabling Remote Code Execution

F5 has issued urgent security updates for NGINX products after discovering two critical flaws, CVE-2026-42530 and CVE-2026-42055, that could allow remote code execution. These vulnerabilities, rated 9.2 on the CVSS v4 scale, pose a significant threat and require immediate attention to prevent exploitation.

Analyst 207
Control room operators monitor industrial systems amidst rows of screens and control panels.

Accenture Bolsters Industrial Cybersecurity with $4.18B Acquisition Spree

As Robert M. Lee aptly puts it, our critical infrastructure, from energy and water systems to manufacturing plants, is crying out for robust cybersecurity that can stay one step ahead of evolving threats - and failing to deliver it could have disastrous societal consequences. Accenture is answering the call with a whopping $4.18 billion investment to bolster industrial cybersecurity.

Analyst 207
Kubernetes management interface on a laptop screen in a data center background.

Google Exposes Flaw in Kubernetes Operator, Denies Bug Bounty

Google's security team initially praised researcher Justin O'Leary for uncovering a high-severity flaw, dubbed ConfigConfusion, in the Config Connector add-on for Kubernetes - only to later claim it wasn't a vulnerability at all and deny a bug bounty. The issue still lingers, leaving users of the open-source tool potentially exposed.

Analyst 207
Business professional looks concerned while holding laptop amidst scattered papers and office supplies.

Microsoft 365 Exposes Data Protection Gaps for Businesses

Microsoft 365 is a powerhouse for productivity, but it leaves data protection gaps that put businesses at risk. The harsh reality is that while Microsoft safeguards its infrastructure, the responsibility of protecting your business data - including backups and recovery - falls squarely on your shoulders.

Analyst 207