- Apple fixes CVE‑2025‑20701, high severity Bluetooth flaw in Beats Studio Buds allowing eavesdropping within range
- Researchers showed that attackers could chain related bugs together to hijack headphones, issue phone commands, and read/write device memory.
- Fixed in Beats firmware update 1B211, installed automatically when pairing with an iPhone, iPad, or Mac
Apple has fixed a high-severity vulnerability in its Beats Studio Buds wireless earbuds that allowed bad actors to listen in on people’s conversations if they were within Bluetooth range.
The vulnerability was discovered in 2025 by security researchers Dennis Heinze and Frieder Steinmetz of ERNW. It was assigned CVE-2025-20701 and received a severity score of 8.8/10 (high).
The researchers explained that this stemmed from a missing authentication weakness in the Bluetooth BR/EDR radio, and also published a proof-of-concept (PoC) exploit that showed how malicious actors could initiate a call and listen to people’s conversations, as long as they were within Bluetooth range.
Released a patch
“In most cases, these vulnerabilities allow attackers to take over headphones entirely via Bluetooth. No authentication or pairing is required,” they said. “The vulnerabilities can be triggered via Bluetooth BR/EDR or Bluetooth Low Energy (BLE). Being within Bluetooth range is the only prerequisite. It is possible to read and write the device’s RAM and flash.”
They also managed to extract call history, stored contacts and even managed to call a number, after extracting Bluetooth binding keys from a vulnerable device’s memory.
“The range of commands available depends on the mobile operating system, but all major platforms support at least initiating and receiving calls,” they said, adding that “real attacks are complex to carry out” and should probably only target high-value targets because they require technical sophistication and physical proximity.
The team also showed that it was possible to chain this vulnerability with two others impacting the same component (CVE-2025-20700 and CVE-2025-20702), to use the Bluetooth hands-free profile (HFP) to issue commands to the phone.
Apple has now issued a new security advisory, confirming that it has released a patch for the flaw.
“An attacker within Bluetooth range may be able to listen through the microphone of a device that is not yet paired and actively search for pairing requests,” the advisory states. “This is a vulnerability in open source code and Apple Software is among the affected projects. The CVE ID was assigned by a third party.”
Apple fixed the bug in Beats firmware update 1B211, which will be automatically installed the next time users pair their headphones with their iPhone, iPad, or Mac devices.
Via BeepComputer
The best antivirus for every budget
Follow TechRadar on Google News And add us as your favorite source to get our news, reviews and expert opinions in your feeds.
