- Apple patches CVE-2025-20701, a high-severity Bluetooth bug in Beats Studio Buds that enables eavesdropping
- Researchers showed that attackers could link related flaws to hijack headphones, issue phone commands, and read/write device memory
- Fixed in Beats Firmware Update 1B211, automatically installed when paired with iPhone, iPad or Mac
Apple has fixed a serious vulnerability in its Beats Studio Buds wireless earphones that allowed threat actors to eavesdrop on people’s conversations if they were within Bluetooth range.
The vulnerability was discovered in 2025 by security researchers Dennis Heinze and Frieder Steinmetz of ERNW. It has been assigned CVE-2025-20701 and given a severity rating of 8.8/10 (high).
The researchers explained that it stemmed from a lack of authentication weakness in the Bluetooth BR/EDR radio and also released a proof-of-concept (PoC) exploit that showed how malicious actors could initiate a call and listen to people’s conversations as long as they were within Bluetooth range.
Issuance of a patch
“In most cases, these vulnerabilities allow attackers to fully take over the headphones via Bluetooth. No authentication or pairing is required,” they said. “The vulnerabilities can be triggered via Bluetooth BR/EDR or Bluetooth Low Energy (BLE). Being within Bluetooth range is the only prerequisite. It is possible to read and write the device’s RAM and flash.”
They also managed to pull the call history, saved contacts and even managed to call a number after extracting the Bluetooth link keys from a vulnerable device’s memory.
“The range of available commands depends on the mobile operating system, but all major platforms at least support the initiation and reception of calls,” they said, but added that “real attacks are complex to execute” and should probably only target high-value targets because they require technical sophistication and physical proximity.
The team also showed that it was possible to chain this vulnerability with two others affecting the same component (CVE-2025-20700 and CVE-2025-20702) to use the Bluetooth Hands-Free Profile (HFP) to issue commands to the phone.
Apple has now released a new security advisory confirming that it has released a fix for the bug.
“An attacker within Bluetooth range may be able to listen through the microphone of a device that is not yet paired and actively seek pairing requests,” the guidance reads. “This is a vulnerability in open source code, and Apple software is among the affected projects. The CVE ID was assigned by a third party.”
Apple fixed the bug in Beats Firmware Update 1B211, which will be installed automatically the next time users pair their headphones with their iPhone, iPad or Mac devices.
Via Bleeping Computer
The best antivirus for all budgets
Follow TechRadar on Google News and add us as a preferred source to get our expert news, reviews and opinions in your feeds.
