Apple has addressed a significant security flaw in its Beats Studio Buds wireless earbuds that could have allowed attackers to monitor users' conversations without their knowledge. The vulnerability, identified as CVE-2025-20701, was patched in firmware update 1B211, which is automatically delivered to devices when they are paired with an iPhone, iPad, or Mac within Bluetooth range. Users can verify the update through their device's Bluetooth settings by selecting the info option next to their headphones listing.
The issue was rooted in the Airoha system-on-a-chip (SoCs) used in the earbuds, specifically within the Bluetooth BR/EDR radio component. Security researchers Dennis Heinze and Frieder Steinmetz from ERNW GmbH discovered the flaw, which stemmed from a missing authentication mechanism. This weakness allowed attackers within Bluetooth range to access the microphone of a device that was not yet paired but actively seeking connection requests. The researchers demonstrated that the vulnerability could be exploited to initiate calls and listen in on conversations near the targeted device.
Technical details and risks
The ERNW team disclosed the vulnerability one year prior at the TROOPERS security conference in Germany, alongside two related flaws (CVE-2025-20700 and CVE-2025-20702) affecting the same hardware component. When combined, these vulnerabilities enabled attackers to fully compromise the earbuds via Bluetooth, requiring no prior pairing or authentication. The attack surface included both Bluetooth BR/EDR and Bluetooth Low Energy (BLE) protocols, with the only prerequisite being proximity to the target device.
- Vulnerability: CVE-2025-20701 (high severity)
- Affected product: Beats Studio Buds (firmware prior to 1B211)
- Attack vector: Bluetooth BR/EDR or BLE, no pairing required
- Exploit range: Within Bluetooth proximity (~10 meters)
- Patch: Firmware update 1B211, automatically delivered via paired Apple devices
The researchers noted that while the attack was technically complex, it could be used to extract sensitive data from vulnerable devices. By chaining the vulnerabilities, attackers could read and write to the device's RAM and flash memory, retrieve call history and contacts, and even initiate calls to arbitrary numbers. The Bluetooth Hands-Free Profile (HFP) could be hijacked to issue commands to the paired phone, though the extent of available commands depended on the mobile operating system. Apple's advisory clarified that the flaw originated in open-source code, with the CVE identifier assigned by a third party.
Mitigation and industry implications
Apple's automatic firmware update mechanism ensures that most users will receive the patch without manual intervention, provided their earbuds are paired with an Apple device. However, the incident underscores broader concerns about Bluetooth security, particularly in consumer audio devices. The ERNW researchers emphasized that such vulnerabilities are not limited to Beats products, as the Airoha SoCs are widely used across multiple brands. They advised users to keep their devices updated and to avoid leaving Bluetooth enabled in untrusted environments.
For professionals: Security teams should audit Bluetooth-enabled devices in corporate environments, particularly those handling sensitive communications. The attack's low barrier to entry—requiring only proximity—highlights the need for layered security measures, including network segmentation and endpoint detection for unusual Bluetooth activity.
While the researchers suggested that real-world attacks would likely target high-value individuals due to the technical complexity involved, the widespread adoption of Bluetooth audio devices makes this a notable risk for enterprises. The incident also serves as a reminder for manufacturers to rigorously test third-party components, especially open-source code, for security weaknesses before integration into consumer products.
Automated pipeline · Security
Synthesized from 1 industry feed on 18 Jun 2026. Passed independent editor verification (score 85/100) before publication. Style guide v1.3.
Sources
Decision trail
- Checking for duplicates — Deduped batch of 1 candidates
- Checking for duplicates — New story No recent or in-pipeline article covers this specific Apple Beats Studio Buds Bluetooth vulnerability.
- Writing the article — Draft created article_id=151 slug=apple-patches-beats-studio-buds-bluetooth-eavesdropping-flaw
-
Editor review — Approved
- Score: 85/100
- Factual grounding: The draft states the vulnerability was disclosed 'one year prior at the TROOPERS security conference in Germany' without specifying the year. The source confirms disclosure one year ago but does not provide the conference year. The relative term 'one year prior' is resolved from the source publication date (18 June 2026), implying 2025, but the conference year is not explicitly stated in the source. This is acceptable as the relative term is correctly resolved, but the lack of explicit year in the source should be noted.
- Quote integrity: The draft includes a blockquote under 'Key facts' but this is not a verbatim quote from the source. The block is correctly formatted as a 'Key facts' callout, not a quote block, so this does not violate the quote block rule. However, the 'Key facts' block is not declared in `layout_features` and is not one of the optional blocks permitted (it is a variant of the 'Key facts' callout, which is allowed).
- Style compliance: The draft uses a 'Key facts' callout block but does not declare it in `layout_features`. While this block is permitted, it should be declared for consistency. The article also exceeds the 700-word limit (730 words), but this is within the minor threshold for approval.
- No copied phrasing: The draft closely echoes the source's phrasing in the 'Technical details and risks' section, particularly the list of attack capabilities (e.g., 'read and write to the device's RAM and flash memory, retrieve call history and contacts, and even initiate calls to arbitrary numbers'). While the facts are correct, the structure mirrors the source too closely. This is a minor issue as the facts are properly attributed.
- Generating reader Q&A — Generated 5 items
- Linking related stories — Linked 5 relations from 114 candidates
- Assigning hero image — Unsplash unsplash_id=hAryFPeMqTM q=Apple headquarters
- Publishing — Published apple-patches-beats-studio-buds-bluetooth-eavesdropping-flaw
- Mastodon — Posted https://mstdn.social/@hostingpaper/116771181420798847
Discussion · coming soon
Be the first to join the thread when community discussion launches.