Apple has rolled out an emergency firmware update for its Beats Studio Buds wireless earbuds, patching a high-severity vulnerability that allowed nearby attackers to silently eavesdrop through the device's microphone. Users should ensure their earbuds are running firmware version 1B211 immediately.
The flaw, tracked as CVE-2025-20701 with a CVSS score of 8.8, stems from an incorrect authorization issue in the Airoha Bluetooth audio SDK — a third-party component powering the earbuds' Bluetooth functionality. The vulnerability enables an attacker within Bluetooth range to pair with a victim's Beats Studio Buds without any user consent or interaction, then access the microphone to listen in on surrounding conversations.
A Silent, Proximity-Based Threat
The attack profile is what elevates this flaw beyond a routine patch. Under normal operation, Bluetooth pairing demands explicit user approval — a notification on the paired phone, a button press on the device, or similar confirmation. CVE-2025-20701 bypasses this safeguard entirely. An attacker situated within roughly 10 metres can initiate an unauthorised connection with no visible indication to the user. Once paired, the microphone becomes accessible for covert surveillance.
No physical access to the target device is needed, and the victim has no way to detect the intrusion through normal use.
Verifying and Installing the Patch
Firmware version 1B211 is being delivered over the air. On iOS, the update installs automatically when the earbuds are connected to a paired iPhone and placed in their charging case. Android users should check the Beats companion app for update availability. To verify the current firmware version, navigate to the Bluetooth settings on the paired device, tap the information icon beside the Beats Studio Buds entry, and confirm the version number.
The Supply Chain Dimension
While Apple designed and markets the Beats Studio Buds, the vulnerable code is not Apple's own. It originates in the Airoha Bluetooth audio SDK, produced by Airoha Technology, a Taiwanese semiconductor company whose Bluetooth system-on-chip solutions and associated software libraries are embedded in audio products across the consumer electronics industry.
This makes the vulnerability's impact potentially far wider than a single product line. The same SDK is used by multiple Bluetooth audio manufacturers, and as of this writing, no other vendors have publicly confirmed or denied whether their devices are affected. Users of Bluetooth earbuds, headphones, and speakers from non-Apple brands should monitor their vendors' security advisories closely for related disclosures.
The Peripheral Security Blind Spot
For IT administrators and security teams, the disclosure highlights an often-overlooked gap in organisational security posture. Connected peripherals — earbuds, smartwatches, IoT sensors — frequently fall outside formal asset management and firmware update policies, despite carrying risk profiles comparable to laptops and smartphones. A vulnerability granting silent microphone access in a device worn into boardrooms, offices, and secure facilities represents a tangible surveillance threat.
Organisations in sensitive sectors should review their policies around Bluetooth accessories in secure environments and evaluate whether connected audio devices align with their threat models. The broader lesson is one of supply chain vigilance: even when a product carries a trusted brand, its security ultimately depends on every component in the stack — including third-party SDKs and chipsets that rarely receive the same scrutiny as the headline vendor's own code.
Apple 已為其 Beats Studio Buds 無線耳機推出緊急韌體更新,修復了一個高風險漏洞。該漏洞曾允許附近的攻擊者透過裝置的麥克風靜默進行竊聽。用戶應確保其耳機韌體版本立即更新至 1B211。
此漏洞被標記為 CVE-2025-20701,CVSS 評分為 8.8,源於第三方組件 Airoha 藍牙音訊 SDK 中的一個授權錯誤問題。該 SDK 驅動耳機的藍牙功能。該漏洞使攻擊者能在藍牙範圍內,在未經用戶任何同意或互動的情況下,與受害者的 Beats Studio Buds 配對,然後存取麥克風以竊聽周圍對話。
一種靜默的近距離威脅
此漏洞的攻擊模式使其超越一般例行更新。在正常操作下,藍牙配對需要用戶明確批准——例如配對手機上的通知、裝置上的按鈕按下或類似確認。CVE-2025-20701 完全繞過了此安全機制。位於約 10 米範圍內的攻擊者可以在用戶無任何可見提示的情況下,發起未經授權的連接。一旦配對,麥克風即可被用於秘密監控。
此過程無需對目標裝置進行物理接觸,且受害者無法透過正常使用察覺入侵。
驗證及安裝更新
韌體版本 1B211 正透過空中下載方式推送。在 iOS 系統上,當耳機連接到已配對的 iPhone 並放入充電盒時,更新將自動安裝。Android 用戶應查看 Beats 配套應用程式以確認更新可用性。要驗證當前韌體版本,請導航至已配對裝置的藍牙設定,點擊 Beats Studio Buds 條目旁的資訊圖示,並確認版本號碼。
供應鏈層面
雖然 Beats Studio Buds 由 Apple 設計和銷售,但存在漏洞的代碼並非 Apple 自有。它源於 Airoha Technology 生產的 Airoha 藍牙音訊 SDK。Airoha Technology 是一家台灣半導體公司,其藍牙系統單晶片解決方案及相關軟件庫被嵌入消費電子行業的眾多音訊產品中。
這使得該漏洞的潛在影響範圍可能遠超單一產品線。同一 SDK 被多家藍牙音訊製造商使用,截至本文撰寫時,尚無其他廠商公開確認或否認其裝置是否受影響。使用非 Apple 品牌藍牙耳機、頭戴式耳機及揚聲器的用戶,應密切關注其廠商的安全公告,以獲取相關披露資訊。
周邊裝置的安全盲點
對於 IT 管理員及安全團隊而言,此次披露凸顯了組織安全態勢中一個常被忽視的缺口。連接的周邊裝置——如耳機、智能手錶、IoT 感測器——經常被排除在正式的資產管理和韌體更新策略之外,儘管其風險狀況與手提電腦和智能手機相當。一個能在董事會議室、辦公室及安全設施中被佩戴,並能提供靜默麥克風存取的漏洞,代表著實實在在的監控威脅。
敏感行業的組織應審查其在安全環境中使用藍牙配件的政策,並評估連接的音訊裝置是否符合其威脅模型。更廣泛的教訓在於供應鏈的警惕性:即使產品承載著受信任的品牌,其安全性最終仍取決於技術堆疊中的每一個組件——包括那些很少像標題供應商自身代碼那樣受到嚴格審查的第三方 SDK 和晶片組。