Apple Scrambles to Fix AirPods Flaw That Put Users at a Security Risk

The security flaw affects all currently available AirPods models, plus the Powerbeats Pro and Beats Fit Pro.
The security flaw affects all currently available AirPods models, plus the Powerbeats Pro and Beats Fit Pro.

We independently review all our recommendations. Purchases made via our links may earn us a commission. Learn more ❯

Update your AirPods ASAP if you don’t want to be eavesdropped on.

Apple recently faced another security challenge, prompting it to release an urgent firmware update for AirPods and other wireless headphones. This update addresses a severe vulnerability that allowed hackers to spoof devices and eavesdrop on users, which was a big threat to user privacy.

Details of the AirPods Vulnerability and Patch

The flaw, tracked as CVE-2024-27867, was discovered by security researcher Jonas Dreßler and was admitted by Apple last June 25, 2024.

It affects AirPods (2nd generation and later), AirPods Pro (all models), AirPods Max, Powerbeats Pro, and Beats Fit Pro.

“When your headphones are seeking a connection request to one of your previously paired devices, an attacker in Bluetooth range might be able to spoof the intended source device and gain access to your headphones.” according to Apple.

In other words, while reconnecting to previously paired devices, hackers could intercept the Bluetooth signal and mimic a trusted device. This tricks the headphones into pairing with the attacker’s device instead.

Once paired, the attacker could gain full control over the headphones. So, they can eavesdrop on any audio played through the headphones, including private conversations. This could lead to stealing sensitive info, whether personal, work-related, or financial.

To address the issue, Apple released the following firmware updates to improve the AirPods’ state management:

  • AirPods Firmware Update 6A326 for AirPods 2 & 3, AirPods Pro 1, and AirPods Max
  • AirPods Firmware Update 6F8 for AirPods Pro 2
  • Beats Firmware Update 6F8

These updates make the process of authentication of devices during pairing and reconnecting better.

The improved state management involves more careful checks when Bluetooth pairing happens to make sure the device trying to connect is really one that was approved before. This includes handling the info about previously paired devices better so it’s harder for attackers to copy the digital signature of these devices.

To use these, check out our guide on how to update your AirPods firmware.

Broader Context of Apple’s Security Issues

This update follows a series of recent security concerns for Apple.

In June 2024, the company released updates for visionOS to address 21 security issues, including seven WebKit flaws. Among these, a logic flaw could have resulted in a denial-of-service (DoS) attack when processing web content.

Security researcher Ryan Pickren, who reported the issue, called it the “world’s first spatial computing hack.”

Apple has faced other security challenges this year.

Vulnerabilities in iPhone and iPad operating systems allowed apps to access sensitive user information. Additionally, security flaws in Apple Watches could have exposed private data.

Today, Apple’s own apps continue to collect data, making it difficult for users to stop data sharing. Siri, for instance, automatically gathers data from the apps users use. This includes everything from music listening history to contact names.

In 2019, The Guardian also reported that Apple contractors had access to Siri recordings to improve dictation and Siri’s responsiveness, raising privacy and security concerns. Apple stated that the recordings represent “less than 1% of daily Siri activations, and those used are a few seconds long.”
Apple software executive Craig Federighi. (From: Apple/YouTube)
Apple software executive Craig Federighi. (From: Apple/YouTube)

Despite these incidents, privacy remains central to Apple’s brand. The company even declined an AI partnership with Meta due to concerns over its privacy practices.

“With Apple Intelligence, powerful intelligence goes hand in hand with powerful privacy.” says Apple software executive Craig Federighi at the 2024 Worldwide Developers Conference.

How Exactly Do Bluetooth Headphones Get Hacked?

Bluetooth headphones are vulnerable to hacking due to the wireless nature of their connections. Hackers can exploit these weaknesses to access devices and steal data. Here are some common ways this happens:

  • Bluesnarfing: Attackers extract personal data by exploiting Bluetooth connections.
  • Bluejacking: Hackers send unsolicited messages with malicious links through Bluetooth.
  • Bluebugging: Allows attackers to take control of devices, access sensitive information and intercept calls.
  • Bluesmacking: A denial-of-service attack that overwhelms devices with large data packets.

Here’s what you can do to keep yourself safe from Bluetooth hacking:

  • Keep Bluetooth turned off when not in use and set devices to “hidden” or “non-discoverable” mode.
  • Reject unknown pairing requests and regularly update your software to protect against this threat.
  • Use strong passwords and maintain strict security settings to defend against such attacks.
  • Avoid accepting unsolicited connections and keep your devices updated with the latest security patches.

Leave a Reply