HQ/EMEAFind out how we can help your business
Apple has published a firmware patch for AirPods that malicious entities could exploit to acquire unauthorised access to the accessory.
The authentication vulnerability, CVE-2024-27867, affects the 2nd generation and newer AirPods, such as AirPods Pro (all models), AirPods Max, Beats Fit Pro, and Powerbeats Pro.
Apple issued an advisory earlier this week stating that when headphones attempt to connect to one of your previously paired devices, an attacker in Bluetooth range may be able to spoof the intended source device and obtain access to the headphones.
A malicious entity in close proximity may use the flaw to execute unauthorised access, such as eavesdropping on private calls using the AirPods. Moreover, Apple revealed that they resolved the vulnerability through enhanced state management.
The patch for the AirPods vulnerability is included in the latest iOS firmware update, which also contains various bug fixes.
The latest release addresses the AirPods Firmware Update 6A326, AirPods Firmware Update 6F8, and Beats Firmware Update 6F8. This development comes weeks after the iPhone manufacturing company released upgrades for visionOS (version 1.2) to address 21 problems, including seven bugs in the WebKit browser.
One of the flaws is a logic defect tracked by researchers as CVE-2024-27812 that could cause a denial-of-service (DoS) when processing online traffic. It stated that the issue had been fixed with enhanced file handling.
On the other hand, a separate security researcher who discovered the flaw described it as the pioneer for the spatial computing hack that could circumvent all warnings and forcefully fill a targeted infrastructure with an arbitrary number of animated 3D objects without user interaction.
The alleged issue abuses Apple’s failure to use the permissions model while utilising the ARKit Quick Look function to create 3D objects in a victim’s room. Furthermore, these animated items stay within the app even when a user closes Safari because a distinct application handles them.
The researcher also stated that a human does not have to click this anchor tag, so programmatic JavaScript clicking can still work. Therefore, an actor can launch an infinite number of 3D, animated, sound-producing objects without requiring human intervention.
Users who still have not employed the latest firmware update should start doing so to avoid unauthorised individuals connecting to private communications.
