Apple Beats: Bluetooth Flaw Turns Headphones Into Spy Microphones

Apple released firmware 1B211 on June 16, 2026 to fix a high-severity vulnerability in Beats Studio Buds that allowed an attacker within Bluetooth range to listen to conversations through the microphone of devices not yet paired. The flaw, tracked as CVE-2025-20701, resides in the Airoha SoC supplied by MediaTek and exploits a lack of authentication in Bluetooth BR/EDR. Chaining it with two other vulnerabilities enables full takeover of the headphones, with access to RAM, flash, call history, and contacts.

The Mechanism: How the Microphone Becomes Listenable Without Pairing

The weakness is rooted in the Bluetooth BR/EDR protocol of the Airoha SoC. According to the Apple advisory reported by BleepingComputer, "an attacker within Bluetooth range may be able to listen through the microphone of a device that is not yet paired and is actively seeking pairing requests." This condition typically occurs when the headphones are in open pairing mode, ready for initial pairing with a new device.

Researchers Dennis Heinze and Frieder Steinmetz of ERNW GmbH identified the vulnerability as a consequence of a "lack of authentication in the Bluetooth BR/EDR radio." Their analysis, presented a year ago at the TROOPERS conference in Germany, demonstrated that it is possible to impersonate a legitimate device and establish a connection that exposes the microphone audio stream. The technical barrier for eavesdropping is relatively low: no prior pairing or authentication is required.

The same Apple advisory notes that the flaw also affects "other Apple software projects" because the vulnerable code is open source. The document states that "the CVE-ID was assigned by a third party," indicating a disclosure path outside Apple's internal bug bounty program.

From Eavesdropping to Full Control: Chaining the Three CVEs

CVE-2025-20701 alone enables audio interception, but ERNW's research mapped a broader attack path. Heinze and Steinmetz demonstrated a proof-of-concept that allows an attacker to "initiate a call and intercept conversations." However, the combination with CVE-2025-20700 and CVE-2025-20702 expands the impact surface.

According to the researchers, "in most cases, these vulnerabilities allow attackers to take complete control of the headphones via Bluetooth. No authentication or pairing is required." Full takeover includes arbitrary read and write of RAM and flash, with the ability to extract call history, contacts, and Bluetooth link keys. Available commands depend on the mobile OS, but "all major platforms support at least initiating and receiving calls."

The researchers also introduced a note of caution: "real-world attacks are complex to execute." This statement, however, must be read in the context of consumer security: complexity does not equal impossibility, and the availability of a public PoC progressively lowers the barrier to entry for less sophisticated actors.

Firmware Distribution and User Verification

Firmware 1B211 is distributed automatically when Beats Studio Buds are paired and within range of an Apple device. Installation verification occurs in the Bluetooth settings of the iOS or iPadOS device. Apple does not provide a forced manual update path: installation depends on the pairing and proximity condition.

This distribution mechanism presents a non-trivial vulnerability window. Headphones that have not been recently paired to an Apple device, or that remain disconnected for extended periods, may not receive the patch immediately. The dossier does not specify whether an alternative update mode exists for Android users or for scenarios where the paired Apple device is unavailable.

The June 16, 2026 release date comes from Apple Security Releases, which lists "Beats Firmware Update 1B211 | Beats Studio Buds | 16 Jun 2026." This official source confirms the timeline but does not add technical details on the nature of the vulnerability.

Why It Matters

The source does not specify whether real-world attacks against this vulnerability have been observed. The dossier does not document additional remedial measures beyond firmware 1B211, nor does it provide instructions for users who cannot verify the update. The exact scope of the phrase "other Apple software projects" affected by the vulnerable open-source code remains unquantified.

The maximum effective Bluetooth BR/EDR attack distance in real-world conditions is not indicated in the available sources. The specific CVSS score for CVE-2025-20701 does not appear in the consulted sources, although the "high-severity" classification is attested. It is not verifiable from the provided sources whether this vulnerability is present in the CISA KEV catalog.

The conflict in the CVE ID requires attention: while BleepingComputer cites CVE-2025-20701 as the primary identifier, the NVD record provided in the dossier refers to CVE-2025-43529, which does not correspond to the topic. The generic NVD sources (sources 4-7) do not add specific data on Beats Studio Buds or the correct CVE.

"In most cases, these vulnerabilities allow attackers to take complete control of the headphones via Bluetooth. No authentication or pairing is required." — Dennis Heinze and Frieder Steinmetz, ERNW GmbH

The incident concretely resurfaces the problem of secure component supply chains in consumer devices. The Airoha SoC is a third-party component, supplied by a MediaTek subsidiary, that integrates a proprietary Bluetooth stack. Apple lacks direct visibility and immediate control over the development lifecycle of this component, and the fix requires coordination between the chip vendor and the final assembler. This dependency architecture is common in the wearable audio industry, but the documented vulnerability highlights its cost in terms of patch latency and unexpected attack surface.

For users, the stakes are twofold: compromise of the microphone as a physical surveillance vector in public spaces, and potential extraction of sensitive metadata (call history, contacts, pairing keys) that enables correlated attacks on other associated devices. For organizations, the vulnerability signals that the security perimeter must extend to peripheral devices traditionally considered "dumb" from a computational standpoint, but that in reality host complex firmware with third-party components not always transparent.

The disclosure at the TROOPERS conference in 2025 and the patch release in June 2026 indicate an interval of roughly one year between public disclosure and fix availability. The dossier does not specify whether this interval reflects firmware development time, coordination with the chip supplier, or Apple's release cycle planning.

Information is based on the cited advisory and current as of publication.

Information is based on the cited source and current as of publication.

Sources

• https://schema.org/FAQPage
• https://www.bleepingcomputer.com/news/security/apple-fixes-beats-studio-buds-flaw-that-let-hackers-spy-on-conversations/
• https://nvd.nist.gov/vuln/detail/CVE-2025-43529
• https://support.apple.com/en-us/100100
• https://nvd.nist.gov/vuln/search
• https://nvd.nist.gov/vuln/categories
• https://nvd.nist.gov/vuln/data-feeds
• https://nvd.nist.gov/vuln/vendor-comments
• https://schema.org/Question
• https://schema.org/Answer