Dernière minute
RUАльпинист погиб на Эльбрусе на высоте 5500 метровFRCédric Jubillar avoue être à l'origine de la disparition de sa femme Delphine AussaguelRUВ Москве ожидается дождь с грозой и сильным ветромJPエディオン久保会長、ヤマダ統合は「市場変化への備え」 PB強化で付加価値向上目指すARألمانيا تزيل ألغام إيران في ممر دولي.. وجنازة ضخمة لخامنئيITDoppio colpo nel Foggiano: assalto a portavalori e rapina a tir di sigaretteCN中国海军在太平洋公海试射潜射战略导弹,引发区域担忧INTLPhilippines Vice President Sara Duterte Faces Impeachment Trial Amid Political FeudCRYPTO-FRNigel Farage accusé de financement non déclaré lié aux cryptomonnaiesARاستطلاع دولي: ثقة المستثمرين باقتصادات الخليج قوية رغم التوترات الجيوسياسية وارتفاع أسعار المعادنRUАльпинист погиб на Эльбрусе на высоте 5500 метровFRCédric Jubillar avoue être à l'origine de la disparition de sa femme Delphine AussaguelRUВ Москве ожидается дождь с грозой и сильным ветромJPエディオン久保会長、ヤマダ統合は「市場変化への備え」 PB強化で付加価値向上目指すARألمانيا تزيل ألغام إيران في ممر دولي.. وجنازة ضخمة لخامنئيITDoppio colpo nel Foggiano: assalto a portavalori e rapina a tir di sigaretteCN中国海军在太平洋公海试射潜射战略导弹,引发区域担忧INTLPhilippines Vice President Sara Duterte Faces Impeachment Trial Amid Political FeudCRYPTO-FRNigel Farage accusé de financement non déclaré lié aux cryptomonnaiesARاستطلاع دولي: ثقة المستثمرين باقتصادات الخليج قوية رغم التوترات الجيوسياسية وارتفاع أسعار المعادن
Newsgather
BackApple Patches High-Severity Vulnerability in Beats Studio Buds
Apple Patches High-Severity Vulnerability in Beats Studio Buds
En développement
Ars Technica18.06.2026Tech3 dk okumaUnited States

Apple Patches High-Severity Vulnerability in Beats Studio Buds

L'essentiel

  • Apple has updated its Beats Studio Buds to fix CVE-2025-20701, a critical vulnerability allowing nearby hackers to eavesdrop via Bluetooth.
  • The patch is delivered automatically.

Résumé généré par IA

Pourquoi c'est important

A high-severity vulnerability, CVE-2025-20701, in Beats Studio Buds allowed nearby hackers to eavesdrop. Researchers disclosed similar vulnerabilities in Airoha Systems chips last year.

Taille de police

Apple has updated its Beats Studio Buds wireless earbuds to patch a high-severity vulnerability that could be exploited by nearby hackers to eavesdrop on users.

The vulnerability, CVE-2025-20701, allowed improper authentication in the firmware running on the Bluetooth-related chips, enabling people within signal range to impersonate devices that had previously been paired with the earbuds. The researchers demonstrated this in a series of end-to-end attacks that allowed them to eavesdrop on conversations or sounds within earshot of the phone microphone.

Apple joins the patch party

“Impact: An attacker within Bluetooth range may be able to listen through the microphone of a device which is not yet paired and actively seeking pair requests,” Apple said in a Tuesday security advisory. The fix is contained in Beats Firmware Update 1B211, which is delivered automatically while headphones are paired with and within Bluetooth range of a user’s iPhone, iPad, or Mac. Users can check their firmware version by going to Settings on their device, navigating to Bluetooth, and tapping the info button next to the headphones.

Carrying a severity rating of 8.8 out of 10, CVE-2025-20701 was one of three vulnerabilities resulting from last year’s disclosure by researchers Dennis Heinze and Frieder Steinmetz of security firm Insinuator about chips made by Airoha Systems. In response, Airoha released an updated software development kit to affected hardware sellers. Apple’s incorporation of the patch into the Beats Studio Buds came the same week that Jabra, another affected headphone manufacturer, also announced patched versions. According to this article from Ecoustics, manufacturers Bose and JBL have released statements saying their devices have also been updated to incorporate the fixes.

Security firm Sentinel One has a deeper dive into CVE-2025-20701 here.

Heinze and Steinmetz said last year that the full chain of attacks gave attackers the ability to do other malicious things, including retrieving call history and contacts, and even calling arbitrary numbers. Many of those capabilities are dependent on the specific devices being paired, since the functionality built into them differs from platform to platform.

Devices affected by the Airoha vulnerabilities are by no means alone. In January, researchers disclosed WhisperPair, a series of vulnerabilities that allows an attacker to hijack Bluetooth devices connected through Google Fast Pair, a proprietary protocol belonging to the company. Besides eavesdropping, attackers can exploit the WhisperPair flaws to geolocate devices. The vulnerabilities affect more than a dozen devices from 10 manufacturers, including Sony, Nothing, JBL, OnePlus, and Google itself.

There are few, if any, reports of Bluetooth vulnerabilities like these being actively exploited in the wild. The complexity of such attacks is often high, and an attacker has to continually stay within Bluetooth range of a target while utilizing the exploit. People who think they may be targeted by such attacks should turn off Bluetooth in devices whenever they’re not needed, and remain aware of the risks when Bluetooth is enabled.

Questions ouvertes

  • Were any devices actively exploited before the patch?
  • Will other manufacturers release patches for their Airoha-based devices?

Sujets liés

This article was originally published by Ars Technica.

Articles liés

Plus sur ce sujetApple