{"id":1371,"date":"2026-06-19T07:57:30","date_gmt":"2026-06-19T07:57:30","guid":{"rendered":"https:\/\/thedigitalfortress.us\/?p=1371"},"modified":"2026-06-19T07:57:30","modified_gmt":"2026-06-19T07:57:30","slug":"apple-patches-beats-studio-buds-flaw-letting-nearby-attackers-spy-via-microphone","status":"publish","type":"post","link":"https:\/\/thedigitalfortress.us\/?p=1371","title":{"rendered":"Apple Patches Beats Studio Buds Flaw Letting Nearby Attackers Spy via Microphone"},"content":{"rendered":"
\n

\ue804<\/i>Ravie Lakshmanan<\/span>\ue802<\/i>Jun 19, 2026<\/span><\/span>Mobile Security \/ Vulnerability<\/span><\/p>\n<\/div>\n

\n
<\/a><\/div>\n

Apple has updated its Beats Studio Buds wireless earbuds to patch a high-severity vulnerability that could be exploited by nearby hackers to eavesdrop on users.<\/p>\n

The vulnerability, tracked as CVE-2025-20701<\/a><\/b> (CVSS score: 8.8), refers to a case of incorrect authorization impacting the Airoha Bluetooth audio SDK that makes it possible to pair a Bluetooth audio device without user consent.<\/p>\n

Successful exploitation<\/a> of the flaw could lead to remote escalation of privilege without requiring any additional execution privileges or user interaction. The issue has been addressed in Beats Firmware Update 1B211.<\/p>\n

\u00abAn attacker within Bluetooth range may be able to listen through the microphone of a device which is not yet paired and actively seeking pair requests,\u00bb Apple said in an advisory released this week.<\/p>\n

Details of the vulnerability first emerged in June 2025 when ERNW GmbH researchers Dennis Heinze and Frieder Steinmetz flagged it alongside two other flaws<\/a> in Airoha SoCs (CVE-2025-20700 and CVE-2025-20702) at the TROOPERS security conference in Germany. Similar patches were released<\/a> by Jabra in December 2025.<\/p>\n

\n
\"Cybersecurity\"<\/a><\/div>\n<\/div>\n

\u00abIn most cases, these vulnerabilities allow attackers to fully take over the headphones via Bluetooth. No authentication or pairing is required,\u00bb the researchers noted at the time. \u00abThe vulnerabilities can be triggered via Bluetooth BR\/EDR or Bluetooth Low Energy (BLE). Being in Bluetooth range is the only precondition. It is possible to read and write the device\u2019s RAM and flash.\u00bb<\/p>\n

<\/p>\n

\u00abThese capabilities also allow attackers to hijack established trust relationships with other devices, such as the phone paired to the headphones. These capabilities allow for multiple attack scenarios.\u00bb<\/p>\n

New Unpatchable Exploit Discovered in Apple’s A12 and A13 Chips<\/h3>\n

The disclosure comes as Paradigm Shift disclosed a novel iPhone SecureROM<\/a> (aka BootROM) vulnerability impacting Apple’s A12 and A13 chips, in addition to a proof-of-concept (PoC) exploit codenamed usbliter8<\/a>.<\/p>\n

\u00abThe exploit leverages both a hardware bug in the USB controller and a specific configuration flaw present in the device firmware,\u00bb the European cybersecurity company said<\/a>. \u00abAs these vulnerabilities reside in immutable code, affected users should be aware that migrating to newer hardware remains the most effective mitigation.\u00bb<\/p>\n

At a high level, the exploit works by leveraging a flaw in the USB controller built into Apple SoCs. The controller uses a memory buffer to store SETUP and OUT packets transmitted at the start of data transfer. The research found that it’s possible to trigger a buffer underflow primitive<\/a> by taking advantage of the fact that the controller also accepts smaller packets, effectively allowing for malicious code injection and execution under certain conditions.\u00a0<\/p>\n

The problem, Paradigm Shift noted, is likely rooted in the USB controller hardware itself, not in Apple’s software. The A11 chip is not susceptible to the vulnerability, while A12 and A13 are confirmed to be susceptible.<\/p>\n

\n
\"Cybersecurity\"<\/a><\/div>\n<\/div>\n

\u00abThe difference is that the A11 USB driver manually resets the DMA address to its initial value after receiving each packet,\u00bb the company said. \u00abOn A12 and A13, USB DART is configured in bypass mode, allowing us to overwrite SRAM data freely. In contrast, A14 and later generations appear to configure the DART correctly in SecureROM, making the vulnerability unexploitable.\u00bb<\/p>\n

The usbliter8 exploit is comparable to checkm8, the publicly known BootROM exploit of this kind that impacted all iOS devices ranging from iPhone 4s (A5 chip) to iPhone 8 and iPhone X (A11 chip).<\/p>\n

\u00abThe usbliter8 exploit demonstrates that even on more recent SecureROM generations, including those protected by Pointer Authentication<\/a>, subtle hardware bugs can still be leveraged to achieve full code execution and break the chain of trust,\u00bb Paradigm Shift said.<\/p>\n

\u00abThe security of the BootROM is critical: vulnerabilities at this level can compromise the integrity of the entire device. Although usbliter8 doesn’t affect SEP itself, it opens up wider attack vectors to compromise the Secure Enclave.\u00bb<\/p>\n<\/div>\n","protected":false},"excerpt":{"rendered":"

\ue804Ravie Lakshmanan\ue802Jun 19, 2026Mobile Security \/ Vulnerability Apple has updated its Beats Studio Buds wireless earbuds to patch a high-severity vulnerability that could be exploited by nearby hackers to eavesdrop…<\/p>\n","protected":false},"author":1,"featured_media":1372,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[1],"tags":[618,622,2099,2100,70,2101,2103,2102,57,565,560],"class_list":["post-1371","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-uncategorized","tag-apple","tag-attackers","tag-beats","tag-buds","tag-flaw","tag-letting","tag-microphone","tag-nearby","tag-patches","tag-spy","tag-studio"],"_links":{"self":[{"href":"https:\/\/thedigitalfortress.us\/index.php?rest_route=\/wp\/v2\/posts\/1371","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/thedigitalfortress.us\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/thedigitalfortress.us\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/thedigitalfortress.us\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/thedigitalfortress.us\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=1371"}],"version-history":[{"count":0,"href":"https:\/\/thedigitalfortress.us\/index.php?rest_route=\/wp\/v2\/posts\/1371\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/thedigitalfortress.us\/index.php?rest_route=\/wp\/v2\/media\/1372"}],"wp:attachment":[{"href":"https:\/\/thedigitalfortress.us\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=1371"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/thedigitalfortress.us\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=1371"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/thedigitalfortress.us\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=1371"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}