Apple has released a firmware update for AirPods that could allow a malicious actor to gain access to the headphones in an unauthorized manner.
Tracked as CVE-2024-27867, the authentication issue affects AirPods (2nd generation and later), AirPods Pro (all models), AirPods Max, Powerbeats Pro, and Beats Fit Pro.
“When your headphones are seeking a connection request to one of your previously paired devices, an attacker in Bluetooth range might be able to spoof the intended source device and gain access to your headphones,” Apple said in a Tuesday advisory.
In other words, an adversary in physical proximity could exploit the vulnerability to eavesdrop on private conversations. Apple said the issue has been addressed with improved state management.
Jonas Dreßler has been credited with discovering and reporting the flaw. It has been patched as part of AirPods Firmware Update 6A326, AirPods Firmware Update 6F8, and Beats Firmware Update 6F8.
The development comes two weeks after the iPhone maker rolled out updates for visionOS (version 1.2) to close out 21 shortcomings, including seven flaws in the WebKit browser engine.
One of the issues pertains to a logic flaw (CVE-2024-27812) that could result in a denial-of-service (DoS) when processing web content. The problem has been fixed with improved file handling, it said.
Security researcher Ryan Pickren, who reported the vulnerability, described it as the “world’s first spatial computing hack” that could be weaponized to “bypass all warnings and forcefully fill your room with an arbitrary number of animated 3D objects” sans user interaction.
The vulnerability takes advantage of Apple’s failure to apply the permissions model when using the ARKit Quick Look feature to spawn 3D objects in a victim’s room. Making matters worse, these animated objects continue to persist even after exiting Safari as they are handled by a separate application.
“Furthermore, it does not even require this anchor tag to have been ‘clicked’ by the human,” Pickren said. “So programmatic JavaScript clicking (i.e., document.querySelector(‘a’).click()) works no problem! This means that we can launch an arbitrary number of 3D, animated, sound-creating, objects without any user interaction whatsoever.”
