Apple Fixes Beats Studio Buds Bluetooth Eavesdropping Hole

The flaw at the center of this story is not a Beats bug, it is an Airoha bug. CVE-2025-20701 lives in the Airoha Bluetooth audio SDK, a shared component embedded across earbuds from multiple manufacturers, and the CVSS 8.8 rating reflects a genuine severity: an attacker in Bluetooth range of an unpaired Beats Studio Buds unit can pair with it silently, without any user action or consent, and access the microphone. Apple's own advisory puts it plainly: "An attacker within Bluetooth range may be able to listen through the microphone of a device which is not yet paired and actively seeking pair requests."

ERNW GmbH researchers Dennis Heinze and Frieder Steinmetz, who presented the findings at the TROOPERS conference in June 2025 alongside two related Airoha CVEs, described a broader attack surface than the headline suggests. Their characterization, as reported by The Hacker News, was blunt: "In most cases, these vulnerabilities allow attackers to fully take over the headphones via Bluetooth. No authentication or pairing is required. Being in Bluetooth range is the only precondition." Full takeover means more than passive listening; the researchers also noted that the vulnerabilities enable an attacker to read and write the device's RAM and flash and to "hijack established trust relationships with other devices, such as the phone paired to the headphones."

Apple shipped Beats Firmware Update 1B211 to address the flaw, and Jabra separately patched its own Airoha-based devices in December 2025. The honest caveat is that neither the Apple advisory nor the available reporting gives a complete accounting of which other brands rely on the same Airoha SDK, or whether Airoha itself has published a root-level fix independent of individual OEM firmware cycles.

The forward-looking concern belongs to manufacturers without Apple's distribution advantage. Apple's firmware update flows automatically to paired Beats units through iOS, which limits how long unpatched devices stay in the field. Brands without a comparable silent-update channel face a longer tail of exposure, and a shared-SDK vulnerability means each unpatched product line is its own unclosed window until the manufacturer acts.