News AI
June 29th, 2024

AirPods fast connect security vulnerability

A security flaw (CVE-2024-27867) in Apple AirPods firmware allows unauthorized access via Bluetooth MAC address. Firmware updates released for affected models. Users with non-Apple devices may encounter difficulties updating.

Read original articleLink Icon
AirPods fast connect security vulnerability

A security vulnerability (CVE-2024-27867) has been identified in the firmware of Apple AirPods, allowing anyone with the Bluetooth MAC address to connect and access the microphone or play music. An update is available for AirPods 2, 3, Pro, Pro 2, Max, and some Beats headphones to address this issue. The vulnerability stems from a flaw in the Fast Connect feature, enabling unauthorized access if the authentication step is skipped during connection. Apple has released firmware updates to fix this vulnerability. However, users of AirPods with non-Apple devices like Android may face challenges in updating the firmware, as AirPods typically auto-update only when used with iOS or macOS devices. It is recommended to ensure AirPods firmware is up to date to mitigate the risk of exploitation. The discovery of this vulnerability was a collaborative effort, with special thanks extended to Jiska Classen from the University of Potsdam and the Linux community for their support in addressing the issue.

Related

A buffer overflow in the XNU kernel

A buffer overflow in the XNU kernel

CVE-2024-27815 is a buffer overflow bug in XNU kernel affecting macOS, iOS, and visionOS. Apple swiftly released xnu-10063.121.3 to fix the issue, impacting kernels with CONFIG_MBUF_MCACHE. The bug allows attackers to trigger a crash by copying data beyond allocated space.

Spending 3 months investigating a 7-year old bug and fixing it in 1 line of code

Spending 3 months investigating a 7-year old bug and fixing it in 1 line of code

A developer fixed a seven-year-old bug in an iPad accessory causing missed MIDI messages by optimizing a modulo operation. The bug's resolution improved the audio processor's efficiency significantly.

The First Spatial Computing Hack

The First Spatial Computing Hack

Ryan Pickren found a Safari bug letting websites flood a user's space with 3D objects. Apple fixed it (CVE-2024-27812) in June after Ryan's report. The bug exploited Apple AR Kit Quick Look, launching objects without consent.

Vulnerability in Popular PC and Server Firmware

Vulnerability in Popular PC and Server Firmware

Eclypsium found a critical vulnerability (CVE-2024-0762) in Intel Core processors' Phoenix SecureCore UEFI firmware, potentially enabling privilege escalation and persistent attacks. Lenovo issued BIOS updates, emphasizing the significance of supply chain security.

Apple admits its AirPods had a security problem

Apple admits its AirPods had a security problem

Apple addressed security vulnerabilities in AirPods and Beats Fit Pro headphones, preventing hackers from pairing devices with the wrong source. The company released updates to enhance customer protection, emphasizing privacy. Apple prioritizes privacy in its products, like Apple Intelligence, and declined AI collaborations with Meta over privacy concerns.

Link Icon 15 comments
By @jessriedel - 5 months
> Its main purpose seems to be reducing the time it takes to establish a connection between two Apple devices from roughly 1 second down to about 0.5 seconds.

> With this trick, they can establish that both devices are speaking the Fast Connect protocol without violating the Bluetooth specification, and then go on to exchange 3 more back-and-forth messages, negotiating all the things necessary to fully connect the two devices.

> The fact that this only takes 4 messages back-and-forth in total is what makes Fast Connect fancy, because usually in Bluetooth the phase of wiring up the individual channels for a connection is quite a complex negotiation and involves sending various SDP descriptors that describe which protocols/features both sides support.

Two devices in the same room communicating over even a very narrow slice of the electromagnetic spectrum could exchange many thousands of messages per second. What is it about Bluetooth that causes each message to take a hundred milliseconds rather than, say, a microsecond? What is setting the timescale for this process?

By @rock_artist - 5 months
> That’s because AirPods auto-update their firmware by themselves, but only when they’re used together with an iPhone or MacBook, so Android users have no easy way to update their firmware.

From what I remember, advantage of affected Beats devices which also use same chip is they can actually be updated from the beats app on Android

By @worstspotgain - 5 months
The Apple Support link given in the article is for what looks like the Indian version. Here's the US version:

https://support.apple.com/en-us/106340

The US version shows different version numbers for the latest firmware, e.g. for the Airpods Pro 2nd Gen it's 6F8, while in India it's 6B34.

By @a1o - 5 months
Very nice write-up

> ... see if I could get all the functionality working on Linux as well. ... I’ll talk about the specifics in another blog post ...

I am super curious to read when you do write-up about implementation of this functionality in Linux! Thanks for that and I will refresh the blog until that is written :)

By @sebazzz - 5 months
So my Airpods 2 have an outdated firmware version, but as a user I can't explicitly have iOS update the firmware, and there is no indication when an update happens. I wish I would have more control.
By @schrodinger - 5 months
Obviously any vulnerability is bad, but I'm trying to understand just how bad this one is. What "scary" things could an attacker do?

It doesn't sound like they could listen in on a phone call you're having without your knowledge, or even an audio stream, since it breaks the original connection, right? So is the worst they could do is come within a pretty short distance of you, scan for your mac address, and the auto-connect and play some noise into your ears? Or is there more?

I suppose you could do something like take over the airpods of a high-level celebrity or politician while they're on a video call, that could be bad (but caught instantly). Anything worse?

By @zeroz - 5 months
Settings > Bluetooth > Your AirPods (click on [i]) shows the version, even if AirPods are not actively connected.

6A326 seems to be the version including the fix.

https://support.apple.com/en-us/HT214111

By @StrLght - 5 months
I understand that chances are pretty slim but I still hope that this will make Apple do something regarding AirPods updates on other OSes or at least on Android.
By @diebeforei485 - 5 months
There is no manual update option. Auto-update is the only way to update, and it's unclear how to cajole it to auto-update.
By @bagels - 5 months
One more advantage of wired headphones in addition to them not running out of batteries.
By @hsbauauvhabzb - 5 months
I’ve got numerous gripes with AirPods under Linux - range doesn’t seem as good as my phone (I’ve tried multiple dongles etc), I wasn’t aware that you could connect to two devices but now I want that, when the microphone is enabled audio sounds absolutely trash. Oddly enough, the connect speed annoyed me but not as much as the other issues.

Are there any alternative headphones that solve all three of these well? I just want a headset that works.

By @cjk2 - 5 months
I didn't even know about this vulnerability and mine are updated. Just how I like things.
By @nubinetwork - 5 months
> Its main purpose seems to be reducing the time it takes to establish a connection between two Apple devices from roughly 1 second down to about 0.5 seconds

Oh no, I'll never get that 0.5 seconds back... /s

By @resource_waste - 5 months
Hard to think of a company with as poor security as Apple. No one else hits the headlines as much and creates so much real world consequences.