- Apple patches CVE‑2025‑20701, a high‑severity Bluetooth flaw in Beats Studio Buds enabling eavesdropping within range
- Researchers showed attackers could chain related bugs to hijack headphones, issue phone commands, and read/write device memory
- Fixed in Beats Firmware Update 1B211, auto‑installed when pairing with iPhone, iPad, or Mac
Apple has fixed a high-severity vulnerability in its Beats Studio Buds wireless earbuds that allowed threat actors to eavesdrop on people’s conversations if they were in Bluetooth range.
The vulnerability was discovered in 2025 by security researchers Dennis Heinze and Frieder Steinmetz of ERNW. It has been assigned CVE-2025-20701 and was given a severity score of 8.8/10 (high).
The researchers explained it stemmed from a missing authentication weakness in the Bluetooth BR/EDR radio, and also published a proof-of-concept (PoC) exploit that showed how malicious actors might initiate a call and listen in on people’s conversations, as long as they were within Bluetooth range.
Issuing a patch
“In most cases, these vulnerabilities allow attackers to fully take over the headphones via Bluetooth. No authentication or pairing is required,” they said. “The vulnerabilities can be triggered via Bluetooth BR/EDR or Bluetooth Low Energy (BLE). Being in Bluetooth range is the only precondition. It is possible to read and write the device’s RAM and flash.”
They also managed to pull the call history, stored contacts, and even succeeded in calling a number, after extracting the Bluetooth link keys from a vulnerable device’s memory.
“The range of available commands depends on the mobile operating system, but all major platforms support at least initiating and receiving calls,” they said, but added that “real attacks are complex to perform” and should likely target only high-value targets because they require technical sophistication and physical proximity.
The team…
