A high-severity vulnerability has been patched by Apple in its Beats Studio Buds wireless earbuds, which could have allowed nearby attackers to eavesdrop on users' conversations via the device's microphone. The flaw, tracked as CVE-2025-20701, was discovered by security researchers Dennis Heinze and Frieder Steinmetz from ERNW GmbH and affects devices that are not yet paired and actively seeking pair requests.

What Happened

The vulnerability was found in the Airoha system-on-a-chip (SoCs) used in the Beats Studio Buds, which is a shared SDK affecting multiple manufacturers. The flaw allows attackers to initiate a call and eavesdrop on conversations within earshot of the targeted phone without prior pairing or authentication. When chaining CVE-2025-20701 with two other vulnerabilities impacting the same vulnerable component, attackers can also use the Bluetooth Hands-Free Profile (HFP) to issue commands to the phone after hijacking the connection between the phone and a paired Bluetooth audio device.

The researchers demonstrated how the vulnerability could be exploited by creating a proof-of-concept exploit that allows attackers to initiate a call and eavesdrop on conversations within earshot of the targeted phone. They also showed how the vulnerability could be combined with flaws in the same Airoha component, allowing attackers to extract pairing keys, impersonate trusted headphones, and compromise the user's phone.

Background and Context

The Airoha system-on-a-chip (SoCs) is a widely used Bluetooth audio component that affects multiple manufacturers. The vulnerability was discovered by security researchers Dennis Heinze and Frieder Steinmetz from ERNW GmbH, who presented their findings at the TROOPERS security conference in Germany in 2025. The flaw allows attackers to exploit the Bluetooth BR/EDR radio's missing authentication weakness, which is a critical component of the pairing process.

The researchers noted that the attack does not require prior pairing or authentication and can be triggered via Bluetooth BR/EDR or Bluetooth Low Energy (BLE). Being in Bluetooth range is the only precondition for exploitation. The vulnerability allows attackers to read and write the device's RAM and flash, as well as retrieve the call history and contacts.

Why it Matters to the Industry

The vulnerability affects devices that are not yet paired and actively seeking pair requests, which makes it particularly concerning in public environments such as offices, airports, or cafes. The attack does not require prior pairing or authentication, making it a significant security risk for users who rely on Bluetooth connectivity.

For adult-industry platforms and operators, this vulnerability highlights the importance of secure audio hardware and firmware updates. With the increasing use of wireless earbuds and headsets in professional settings, it is essential to ensure that these devices are properly secured and updated with the latest patches.

What Comes Next

Apple has patched the vulnerability in Beats Firmware Update 1B211, which will be automatically delivered to vulnerable headphones when they are paired and within Bluetooth range of the user's iPhone, iPad, or Mac. Users can verify their firmware version through device settings.

The update is a critical step in mitigating the risk associated with this vulnerability. However, it is essential for users to remain vigilant and ensure that their devices are properly secured and updated. The industry should also take note of the importance of secure audio hardware and firmware updates to prevent similar vulnerabilities in the future.

Key Facts

  • The vulnerability affects Beats Studio Buds wireless earbuds, which could allow nearby attackers to eavesdrop on users' conversations via the device's microphone.
  • The flaw is tracked as CVE-2025-20701 and was discovered by security researchers Dennis Heinze and Frieder Steinmetz from ERNW GmbH.
  • The vulnerability affects devices that are not yet paired and actively seeking pair requests, making it particularly concerning in public environments.
  • Apple has patched the vulnerability in Beats Firmware Update 1B211, which will be automatically delivered to vulnerable headphones when they are paired and within Bluetooth range of the user's iPhone, iPad, or Mac.
  • The attack does not require prior pairing or authentication and can be triggered via Bluetooth BR/EDR or Bluetooth Low Energy (BLE).