Apple Fixes AirPods Bluetooth Security Flaw Allowing Unauthorized Access

June 26, 2024

Apple has issued a firmware update to address a security flaw in its AirPods that could enable a bad actor to infiltrate the headphones without permission. The security loophole, known as CVE-2024-27867, affects various models of AirPods, including the 2nd generation and later, all models of AirPods Pro, AirPods Max, Powerbeats Pro, and Beats Fit Pro.

Apple detailed the vulnerability in a recent advisory, stating, "When your headphones are seeking a connection request to one of your previously paired devices, an attacker in Bluetooth range might be able to spoof the intended source device and gain access to your headphones." Essentially, a malicious individual within physical proximity could exploit this loophole to secretly listen in on confidential discussions. The tech giant has rectified the issue with enhanced state management.

The flaw was identified and reported by Jonas Dreßler and has been resolved as part of AirPods Firmware Update 6A326, AirPods Firmware Update 6F8, and Beats Firmware Update 6F8. This corrective action follows on the heels of an update from Apple two weeks prior, which addressed 21 vulnerabilities in visionOS (version 1.2), including seven flaws in the WebKit browser engine.

One of these flaws involved a logical error, classified as CVE-2024-27812, that could trigger a denial-of-service (DoS) when processing web content. This issue has been resolved with better file handling. Security researcher Ryan Pickren, who brought attention to the vulnerability, labeled it as the "world's first spatial computing hack" that could be exploited to "bypass all warnings and forcefully fill your room with an arbitrary number of animated 3D objects" without any user interaction.

The vulnerability takes advantage of Apple's negligence in applying the permissions model when using the ARKit Quick Look feature to generate 3D objects in a victim's room. Compounding the problem, these animated objects persist even after exiting Safari, as they are managed by a separate application. Pickren further explained, "So programmatic JavaScript clicking (i.e., document.querySelector('a').click()) works no problem! This means that we can launch an arbitrary number of 3D, animated, sound-creating, objects without any user interaction whatsoever."

Latest News

Like what you see?

Get a digest of headlines, vulnerabilities, risk context, and more delivered to your inbox.

Subscribe Below

By submitting this form, you’re giving us permission to email you. You may unsubscribe at any time.

Accelerate Security Teams

Continuously identify and prioritize the risks that are most critical in your environment, and validate that your remediation efforts are reducing risk. An always-on single source-of-truth of your assets, services, and vulnerabilities.