Apple Releases Update to Fix Bluetooth Eavesdropping Vulnerability in AirPods

27.06.2024

Apple has released a firmware update for AirPods that addresses a vulnerability potentially allowing unauthorized access to the headphones.

Identified as CVE-2024-27867, this authentication issue impacts AirPods (2nd generation and later), AirPods Pro (all models), AirPods Max, Powerbeats Pro, and Beats Fit Pro.

“When your headphones are seeking a connection request to one of your previously paired devices, an attacker in Bluetooth range might be able to spoof the intended source device and gain access to your headphones,” Apple stated in an advisory on Tuesday.

In other words, a nearby attacker could exploit the vulnerability to eavesdrop on private conversations. Apple indicated that the issue has been fixed with improved state management.

Jonas Dreßler is credited with discovering and reporting the flaw, which has been patched in AirPods Firmware Update 6A326, AirPods Firmware Update 6F8, and Beats Firmware Update 6F8.

This development follows two weeks after Apple released updates for visionOS (version 1.2) to address 21 issues, including seven flaws in the WebKit browser engine.

One of the issues, CVE-2024-27812, involves a logic flaw that could cause a denial-of-service (DoS) when processing web content. Apple resolved this problem with improved file handling.

Security researcher Ryan Pickren, who reported the vulnerability, described it as the “world’s first spatial computing hack” capable of bypassing all warnings and filling a room with an arbitrary number of animated 3D objects without user interaction.

The vulnerability exploits Apple’s failure to enforce the permissions model when using the ARKit Quick Look feature to spawn 3D objects in a victim’s room. Moreover, these animated objects persist even after exiting Safari, as they are managed by a separate application.

“Furthermore, it does not even require this anchor tag to have been ‘clicked’ by the human,” Pickren explained. “So programmatic JavaScript clicking (i.e., document.querySelector(‘a’).click()) works no problem! This means that we can launch an arbitrary number of 3D, animated, sound-creating objects without any user interaction whatsoever.”