- Apple patches CVE-2025-20701, a high-severity Bluetooth flaw in Beats Studio Buds that allows in-range eavesdropping
- The researchers showed that attackers could chain together related bugs to hijack headsets, issue phone commands, and read/write device memory.
- Fixed in Beats firmware update 1B211, automatically installing when paired with iPhone, iPad or Mac
Apple has fixed a high severity vulnerability in its Beats Studio Buds wireless headphones that allowed threat actors to eavesdrop on people’s conversations if they were within Bluetooth range.
The vulnerability was discovered in 2025 by security researchers Dennis Heinze and Frieder Steinmetz of ERNW. It was assigned CVE-2025-20701 and given a severity score of 8.8/10 (high).
The researchers explained that it was due to a missing authentication weakness in the BR/EDR Bluetooth radio, and also published a proof-of-concept (PoC) exploit that showed how malicious actors could initiate a call and listen to people’s conversations, as long as they were within Bluetooth range.
Issue a patch
“In most cases, these vulnerabilities allow attackers to completely take over the headphones via Bluetooth. No authentication or pairing is required,” they said. “Vulnerabilities can be activated via Bluetooth BR/EDR or Bluetooth Low Energy (BLE). Being within Bluetooth range is the only precondition. It is possible to read and write to the device’s RAM and flash memory.”
They also managed to extract call history, stored contacts and even managed to call a number, after extracting the Bluetooth pairing keys from the memory of a vulnerable device.
“The range of commands available depends on the mobile operating system, but all major platforms support at least initiating and receiving calls,” they said, but added that “actual attacks are complex to conduct” and should probably target only high-value targets because they require technical sophistication and physical proximity.
The team also demonstrated that it was possible to chain this vulnerability with two others that affect the same component (CVE-2025-20700 and CVE-2025-20702), to use the Bluetooth hands-free profile (HFP) to issue commands to the phone.
Apple has published a new security advisory, confirming that it has released a fix for the flaw.
“An attacker within Bluetooth range can listen through the microphone of a device that is not yet paired and actively searching for pairing requests,” the advisory reads. “This is a vulnerability in open source code and Apple software is among the affected projects. The CVE-ID was assigned by a third party.”
Apple fixed the bug in Beats firmware update 1B211, which will be installed automatically the next time users pair their headphones with their iPhone, iPad, or Mac devices.
Through beepcomputer
The best antivirus for all budgets
Follow TechRadar on Google News and add us as a preferred source to receive news, reviews and opinions from our experts in your feeds.
