Apple closes eavesdropping flaw in Beats Studio Buds after year-long chip-level issue

Apple has delivered a firmware patch to Beats Studio Buds owners to close a high-severity Bluetooth authentication bypass that could let nearby attackers eavesdrop on microphone input even when the earbuds were not yet paired to a device. The flaw, tracked as CVE-2025-20701 with a severity score of 8.8 out of 10, stems from improper authentication in the Bluetooth subsystem firmware running on certain audio chips. Apple states the issue could be exploited by an attacker within Bluetooth radio range to impersonate previously paired devices and gain unauthorized access to the microphone feed. The fix arrives roughly one year after researchers disclosed the underlying chip-level vulnerability to multiple vendors.

The vulnerability was publicly demonstrated by security firm Insinuator researchers Dennis Heinze and Frieder Steinmetz, who showed end-to-end attacks that intercepted audio from headsets using affected Bluetooth System-on-Chip components. Airoha Systems, the chipmaker whose firmware contained the flaw, issued a corrected software development kit to downstream manufacturers. Apple integrated the patch into its Beats Studio Buds as firmware version 1B211, which is delivered automatically when the earbuds are within Bluetooth range of an iPhone, iPad, or Mac that has the update applied. Users can verify the firmware version by opening Settings, selecting Bluetooth, and tapping the information icon next to the listed earbuds.

For owners of Beats Studio Buds, the update process is transparent and requires no manual intervention beyond keeping the paired device powered on and in proximity. The automatic over-the-air delivery mechanism mirrors Apple’s approach for other firmware updates on its ecosystem devices, minimizing user friction while closing the exposure. Although the immediate risk is mitigated by the patch, the episode underscores the broader challenge of supply-chain security in consumer audio devices that rely on third-party Bluetooth chips. Any vendor using the same Airoha SDK would need to ship their own firmware update to resolve the issue on their products.

How the Bluetooth eavesdropping attack works

The vulnerability arises from a flaw in the pairing and authentication routines of the Bluetooth Low Energy stack implemented on certain Airoha-based chips. Under normal operation, Bluetooth devices perform a mutual authentication exchange before allowing data transfer, including microphone streams. The researchers found that the firmware failed to enforce proper validation during the pairing handshake, enabling an attacker in radio proximity to spoof the identity of a previously trusted device. Once spoofed, the attacker could request the microphone channel without explicit user consent, effectively turning the headset into a covert listening device.

Because the flaw resides in the firmware layer, it can persist even when the operating system on the paired phone or computer is fully patched. That separation between host software and embedded firmware is a common source of blind spots in security reviews. In the demonstration, the researchers used commodity Bluetooth tools to inject pairing requests and capture the resulting audio stream, proving that exploitation does not require sophisticated hardware. The attack surface is limited to the Bluetooth radio range—typically a few meters—so physical proximity remains a practical constraint for attackers.

Apple’s advisory notes that exploitation is only possible when the headset is actively seeking new pair requests, such as during initial setup or after a factory reset. That timing reduces the window of opportunity but does not eliminate it entirely, since users frequently reset or switch devices. The 8.8 severity score reflects both the potential impact—unauthorized audio capture—and the ease of exploitation with off-the-shelf tools.

Which products are affected beyond Beats Studio Buds

The underlying SDK issue was disclosed to multiple manufacturers who source Bluetooth chips from Airoha Systems, meaning the same vulnerability likely spans a range of wireless headphones and earbuds released in the past two years. Airoha provides reference designs and firmware to original equipment manufacturers, so any product using the compromised SDK revision could be vulnerable unless updated. Jabra, a prominent headset maker, acknowledged the issue and issued its own firmware update in the same week Apple released the Beats patch, indicating the breadth of affected vendors.

Consumers can check whether their specific model is impacted by visiting the manufacturer’s support site or using the in-app firmware update tool if available. Because updates are delivered through the paired host device—phone, tablet, or computer—users should ensure their operating system and companion app are up to date as well. Products that have already received firmware updates from their makers are no longer vulnerable, but devices that have not received an update remain exposed. The lack of a centralized public database for Bluetooth firmware versions complicates visibility for end users.

Industry watchers expect additional disclosures in the coming months as other vendors complete their patching cycles. The incident highlights the need for buyers to consider supply-chain transparency when purchasing wireless audio devices, especially those marketed for privacy-sensitive use cases. Long-term, chipmakers may need to adopt more rigorous secure-by-default practices and provide verifiable firmware signing to prevent similar issues.

What users should do right now

Beats Studio Buds owners should confirm that firmware version 1B211 or later is installed by opening Settings, choosing Bluetooth, and tapping the information icon next to the earbuds. If the update is not present, placing the earbuds near a paired iPhone, iPad, or Mac with an internet connection should trigger the over-the-air update automatically. No user interaction beyond keeping the devices powered on and in range is required. Apple does not provide a manual download link, reinforcing the seamless update model.

For owners of other wireless headphones from brands that used the Airoha SDK, the immediate step is to check the manufacturer’s support page or companion app for a firmware update. If an update is available, install it using the provided instructions. If no update is listed, contact the vendor’s support team to confirm whether your specific model is affected and whether a patch is planned. In cases where the vendor is unresponsive or no update exists, consider limiting use of the microphone in untrusted environments or switching to a model with a clear update history.

Organizations that deploy wireless headsets to employees should prioritize firmware updates as part of their endpoint security policy. Because the vulnerability allows covert audio capture, it poses a risk in settings where sensitive conversations occur. IT teams can inventory affected models using purchase records and push updates through mobile device management platforms where supported. Documenting firmware versions and update dates will help maintain compliance and reduce future exposure.

Why chip-level flaws are hard to detect and fix

Bluetooth stacks are implemented across layers—host controller, embedded firmware, and application software—each developed by different teams or third parties. A flaw in the lowest layer, the chip firmware, can be invisible to host operating systems and even to the headset’s own application logic. Security reviews often focus on the application and OS layers, assuming the underlying hardware and firmware are trustworthy. The Airoha incident demonstrates how that assumption can fail, especially when SDKs are reused across many products.

Firmware updates for consumer audio devices are not always treated with the urgency given to smartphone or laptop patches, in part because the risk profile is less visible to end users. Many buyers do not realize that headphones contain programmable chips that can harbor vulnerabilities. The automatic delivery mechanism Apple uses for Beats Studio Buds is an outlier; many other brands still rely on manual update prompts or web downloads, which lowers patch adoption rates. Slow or absent updates prolong exposure and increase the chance that an attacker will discover the flaw independently.

From a long-term perspective, the industry may need to adopt firmware transparency measures such as signed updates, version reporting, and coordinated disclosure timelines similar to those used in mobile and PC ecosystems. Chipmakers could also provide reference designs with secure defaults, including mandatory authentication checks and minimal attack surfaces. Until these practices become standard, consumers and organizations should treat firmware updates for wireless peripherals as critical security tasks.

Supply-chain security lessons for audio device buyers

The episode serves as a reminder that a product’s security posture depends not only on the brand name on the box but also on the components and code inherited from suppliers. When selecting wireless earbuds or headsets, buyers should ask vendors whether the Bluetooth chip firmware is updatable, how updates are distributed, and whether past vulnerabilities have been addressed. A public list of firmware versions and changelogs would be a strong differentiator for privacy-conscious users.

Organizations purchasing headsets in volume should negotiate contractual requirements for timely firmware updates and vulnerability disclosures from suppliers. Contracts can specify maximum response times for patching critical issues and mandate that suppliers disclose any inherited vulnerabilities. These clauses shift some responsibility back to the vendor and create accountability for supply-chain risks.

In consumer markets, third-party testing labs could begin certifying firmware update mechanisms and patching processes alongside traditional audio performance metrics. Such certifications would give buyers a quick way to compare devices based on security hygiene. Until then, relying on reputable brands with transparent update policies remains the most practical safeguard.

What to watch next

Security researchers are likely to continue probing Bluetooth stacks for similar authentication flaws, especially in low-power audio chips that prioritize battery life over security hardening. Expect additional disclosures in the next 6–12 months as vendors complete their remediation cycles and as new research emerges. Consumers should monitor manufacturer websites and support channels for firmware advisories and install updates promptly.

On the regulatory front, incidents like this may accelerate interest in mandatory cybersecurity requirements for wireless consumer devices, particularly those with microphones or cameras. Governments could introduce baseline standards for firmware updateability, vulnerability disclosure, and secure development practices. If enacted, such rules would raise the bar across the industry and reduce the prevalence of long-lived, unpatched vulnerabilities.

For now, the immediate priority is ensuring that Beats Studio Buds and any other potentially affected headphones receive the latest firmware. Beyond that, maintaining a broader awareness of firmware update practices will help users and organizations stay ahead of the next supply-chain disclosure.