Apple has released a crucial firmware update addressing a vulnerability in AirPods that could allow unauthorized access and potential eavesdropping. The flaw, tracked as CVE-2024-27867, affects multiple models including AirPods (2nd generation and later), AirPods Pro, AirPods Max, Powerbeats Pro, and Beats Fit Pro. When seeking a connection request to previously paired devices, an attacker within Bluetooth range could spoof the source device and gain access to the headphones. This issue has been resolved with improved state management in the latest firmware updates.
The vulnerability was discovered by Jonas Dreßler and has been patched in AirPods Firmware Update 6A326, AirPods Firmware Update 6F8, and Beats Firmware Update 6F8. This update follows Apple’s recent release of visionOS updates to address various security flaws, including a significant logic flaw (CVE-2024-27812) that could result in denial-of-service attacks through web content. Security researcher Ryan Pickren highlighted the severity of these issues, demonstrating how they could be exploited to bypass warnings and manipulate 3D objects in a user’s environment without interaction.