Update your AirPods ASAP if you don’t want to be eavesdropped on.
Apple recently faced another security challenge, prompting it to release an urgent firmware update for AirPods and other wireless headphones. This update addresses a severe vulnerability that allowed hackers to spoof devices and eavesdrop on users, which was a big threat to user privacy.
Details of the AirPods Vulnerability and Patch
The flaw, tracked as CVE-2024-27867, was discovered by security researcher Jonas Dreßler and was admitted by Apple last June 25, 2024.
It affects AirPods (2nd generation and later), AirPods Pro (all models), AirPods Max, Powerbeats Pro, and Beats Fit Pro.
In other words, while reconnecting to previously paired devices, hackers could intercept the Bluetooth signal and mimic a trusted device. This tricks the headphones into pairing with the attacker’s device instead.
Once paired, the attacker could gain full control over the headphones. So, they can eavesdrop on any audio played through the headphones, including private conversations. This could lead to stealing sensitive info, whether personal, work-related, or financial.
To address the issue, Apple released the following firmware updates to improve the AirPods’ state management:
- AirPods Firmware Update 6A326 for AirPods 2 & 3, AirPods Pro 1, and AirPods Max
- AirPods Firmware Update 6F8 for AirPods Pro 2
- Beats Firmware Update 6F8
These updates make the process of authentication of devices during pairing and reconnecting better.
The improved state management involves more careful checks when Bluetooth pairing happens to make sure the device trying to connect is really one that was approved before. This includes handling the info about previously paired devices better so it’s harder for attackers to copy the digital signature of these devices.
Broader Context of Apple’s Security Issues
This update follows a series of recent security concerns for Apple.
In June 2024, the company released updates for visionOS to address 21 security issues, including seven WebKit flaws. Among these, a logic flaw could have resulted in a denial-of-service (DoS) attack when processing web content.
Apple has faced other security challenges this year.
Vulnerabilities in iPhone and iPad operating systems allowed apps to access sensitive user information. Additionally, security flaws in Apple Watches could have exposed private data.
Today, Apple’s own apps continue to collect data, making it difficult for users to stop data sharing. Siri, for instance, automatically gathers data from the apps users use. This includes everything from music listening history to contact names.
Despite these incidents, privacy remains central to Apple’s brand. The company even declined an AI partnership with Meta due to concerns over its privacy practices.
How Exactly Do Bluetooth Headphones Get Hacked?
Bluetooth headphones are vulnerable to hacking due to the wireless nature of their connections. Hackers can exploit these weaknesses to access devices and steal data. Here are some common ways this happens:
- Bluesnarfing: Attackers extract personal data by exploiting Bluetooth connections.
- Bluejacking: Hackers send unsolicited messages with malicious links through Bluetooth.
- Bluebugging: Allows attackers to take control of devices, access sensitive information and intercept calls.
- Bluesmacking: A denial-of-service attack that overwhelms devices with large data packets.
Here’s what you can do to keep yourself safe from Bluetooth hacking:
- Keep Bluetooth turned off when not in use and set devices to “hidden” or “non-discoverable” mode.
- Reject unknown pairing requests and regularly update your software to protect against this threat.
- Use strong passwords and maintain strict security settings to defend against such attacks.
- Avoid accepting unsolicited connections and keep your devices updated with the latest security patches.