## Eavesdropping Risk for Beats Studio Buds Users **Apple** has released security updates to mitigate a high-severity vulnerability, tracked as **CVE-2025-20701**, affecting its **Beats Studio Buds** wireless earbuds. The flaw could potentially allow attackers within Bluetooth range to eavesdrop on user conversations through the device's microphone. According to **Apple's** advisory, "An attacker within Bluetooth range may be able to listen through the microphone of a device which is not yet paired and actively seeking pair requests." The company also noted that this vulnerability originates from open-source code, affecting **Apple Software** among other projects. ## Automatic Firmware Update Rollout The patch has been delivered via **Beats Firmware Update 1B211**. This update is designed to be automatically applied to vulnerable headphones when they are paired and within Bluetooth range of a user's **iPhone**, **iPad**, or **Mac**. Users can verify if the firmware update has been installed by navigating to the Bluetooth settings on their device and tapping the information button next to their headphones. ## Discovery by ERNW GmbH Researchers The vulnerability was identified by **Dennis Heinze** and **Frieder Steinmetz** of **ERNW GmbH**. Their research pinpointed the flaw within the **Airoha** system-on-a-chip (SoCs) used in the earbuds. During the **TROOPERS** security conference in Germany a year prior, the **ERNW** researchers disclosed that the vulnerability stems from a missing authentication weakness in the Bluetooth BR/EDR radio. They also demonstrated a proof-of-concept exploit, enabling attackers to initiate calls and listen in on conversations near the targeted phone.  ## Chaining Vulnerabilities for Broader Exploitation Further research by **ERNW** revealed that when **CVE-2025-20701** is chained with two other related vulnerabilities, **CVE-2025-20700** and **CVE-2025-20702**, attackers could use the Bluetooth Hands-Free Profile (HFP) to issue commands to a phone after hijacking the connection between the phone and a paired Bluetooth audio device. "In most cases, these vulnerabilities allow attackers to fully take over the headphones via Bluetooth. No authentication or pairing is required," the researchers warned. They added that the vulnerabilities can be triggered via Bluetooth BR/EDR or Bluetooth Low Energy (BLE), with proximity being the sole prerequisite. This could allow for reading and writing to the device's RAM and flash memory. Exploiting these flaws, the researchers were able to retrieve call history, contacts, and even initiate calls to arbitrary numbers after extracting Bluetooth link keys from a vulnerable device's memory. While such attacks are complex and require technical sophistication and physical proximity, they pose a significant risk, particularly for high-value targets.