Apple has released Beats Firmware Update 1B211 to address a Bluetooth vulnerability affecting Beats Studio Buds that could allow a nearby attacker to listen through a device's microphone before it has been paired.
The flaw is part of a broader set of vulnerabilities disclosed last year in widely used Airoha Bluetooth chipsets found in headphones and earbuds from numerous vendors.
The security update fixes CVE-2025-20701, a vulnerability discovered by Dennis Heinze and Frieder Steinmetz of German cybersecurity firm ERNW. Apple describes the issue as affecting open-source code used by multiple projects.
According to Apple's advisory, the flaw could allow “an attacker within Bluetooth range” to listen through the microphone of a Beats Studio Buds device that is actively searching for pairing requests but has not yet been paired. The company did not disclose technical details about its implementation of the fix.
The vulnerability is one of three critical Bluetooth flaws that ERNW disclosed in 2025 after analyzing firmware used in Airoha Bluetooth system-on-Chips (SoCs), which are widely deployed in wireless headphones and earbuds. Airoha, a subsidiary of MediaTek, is a major supplier of Bluetooth silicon for the true wireless stereo (TWS) market, providing chipsets and software development kits used by many consumer audio brands.
During their research, Heinze and Steinmetz discovered that a diagnostic protocol known as RACE (Realtek/Airoha Command Extensions) was exposed over Bluetooth without proper authentication in many products. The flaws, tracked as CVE-2025-20700, CVE-2025-20701, and CVE-2025-20702, enabled attackers within range to access sensitive functions, extract pairing information, read device memory, and, in some cases, access microphone audio streams.
CVE-2025-20701, the flaw addressed by Apple, specifically involved a lack of pairing enforcement over Bluetooth Classic connections. ERNW demonstrated that the issue could be abused to access audio-related services, allowing attackers to connect to vulnerable devices without authentication and potentially capture microphone input.
In December 2025, the researchers also published a testing toolkit and technical documentation showing how affected devices could be abused to impersonate trusted Bluetooth accessories, trigger voice assistants, access call-related information, and conduct eavesdropping attacks.
While ERNW's demonstrations required specialized knowledge, custom tooling, and close physical proximity, typically within approximately 10 meters, the researchers warned that the flaws posed a meaningful risk to high-profile targets such as journalists, executives, government officials, and others who regularly discuss sensitive information.
Apple's advisory does not indicate whether any real-world exploitation of the vulnerability has been observed.
The update currently applies to Beats Studio Buds. Firmware updates for Beats devices are delivered automatically when the headphones are paired with an iPhone, iPad, or Mac and are within Bluetooth range. Users can verify their firmware version through Bluetooth settings on their Apple device.
Leave a Reply