Apple Patches Beats Studio Buds Vulnerability Used to Eavesdrop on Conversations

Apple has rolled out a firmware fix for a Beats Studio Buds vulnerability that let attackers within Bluetooth range listen in on private conversations through the earbuds' microphone. The flaw affected devices that were not yet paired but were still actively searching for a connection, creating a narrow but very real window for eavesdropping.

Apple confirmed the issue stems from open-source code used across multiple projects, and Apple Software is among the affected implementations. The fix arrives through Beats Firmware Update 1B211, which installs automatically once the earbuds pair with an iPhone, iPad, or Mac within Bluetooth range.

How the Beats Studio Buds Vulnerability Works

The flaw, tracked as CVE-2025-20701, traces back to a missing authentication weakness in the Bluetooth BR/EDR radio built into the Airoha system-on-a-chip that powers the Beats Studio Buds. Because the chip never properly verifies a connecting device's identity, an earbud searching for a pairing request can be tricked into accepting a connection from an attacker instead of its intended owner.

Security researchers Dennis Heinze and Frieder Steinmetz of ERNW GmbH uncovered the weakness and built a working proof-of-concept exploit. Their demonstration showed an attacker initiating a phone call through the compromised earbuds and listening to everything happening within range of the microphone. No pairing approval or authentication step stood in the way.

From Eavesdropping to Full Device Takeover

The eavesdropping flaw becomes more dangerous when paired with two related vulnerabilities in the same Airoha component, tracked as CVE-2025-20700 and CVE-2025-20702. Chaining all three lets an attacker hijack the Bluetooth Hands-Free Profile connection between a phone and its paired audio device, then issue commands as if they controlled the device directly.

Researchers said this level of access can let attackers read and write the device's RAM and flash memory. From there, they were able to pull Bluetooth link keys out of a vulnerable earbud's memory, retrieve call history and saved contacts, and even place calls to arbitrary numbers without the user noticing.

A Vulnerability That Demands Proximity, Not Just Skill

Despite the severity, exploiting this Beats Studio Buds vulnerability is far from simple. Bluetooth range is the only hard requirement, but the attack also requires technical sophistication that puts it out of reach for casual bad actors. Researchers noted that real-world attacks are complex to pull off and would most likely target high-value individuals rather than the general public.

That distinction matters for risk assessment. A corporate executive or government official sitting in a crowded conference room faces a different threat model than someone wearing Beats Studio Buds on a morning commute. The flaw is serious, but it is not the kind of vulnerability that scales easily into mass surveillance.

Why It Took a Year to Reach a Fix

ERNW researchers first disclosed the underlying Bluetooth weakness publicly at the TROOPERS security conference in Germany roughly a year before Apple's patch arrived. The delay reflects how vulnerabilities buried deep in chip-level firmware often require coordination across multiple vendors,since the same Airoha SoC ships in audio products beyond Apple's lineup.

Because the CVE was assigned by a third party rather than Apple directly, the disclosure timeline also depended on how quickly affected manufacturers could test and roll out their own fixes. Apple's advisory, published this week, marks the company's formal response after that extended remediation window.

What Beats Studio Buds Owners Should Do

Apple designed the fix to apply itself without user action. Beats Firmware Update 1B211 installs automatically the next time the Beats Studio Buds pair with a nearby iPhone, iPad, or Mac, so most owners will receive the patch simply by using their devices as normal.

Users who want confirmation can check manually through their device's Bluetooth settings. Tapping the info icon next to the connected buds displays the current firmware version, which should now read 1B211if the update has been applied.

Anyone who still sees an older version should keep the earbuds paired and within range of their Apple device for a few minutes, since the update transfers automatically once a connection is established. Given how the vulnerability operates, leaving the buds unpatched extends the window during which a nearby attacker could exploit the missing authentication step.

A Reminder About Wireless Accessory Security

This Beats Studio Buds vulnerability fits into a broader pattern affecting Bluetooth audio hardware, where convenience features like automatic pairing can create openings for attackers if authentication is not enforced correctly. As wireless earbuds continue collecting more sensitive audio data, the firmware running on the chips inside them deserves the same scrutiny as the phones they connect to.

For now, Apple's patch closes this particular gap. Owners who keep their Beats Studio Buds updated and paired regularly with their Apple devices should already be protected.