Path: ...!weretis.net!feeder9.news.weretis.net!feeder8.news.weretis.net!news.neodome.net!.POSTED!not-for-mail
From: Charlie <charlie@nospam.com>
Newsgroups: misc.phone.mobile.iphone,comp.sys.mac.system
Subject: Apple basic AirPods flaw puts users at a security risk CVE-2024-27867
Date: Wed, 3 Jul 2024 00:15:48 -0600
Organization: Neodome
Message-ID: <v62qaj$2p29$1@neodome.net>
Mime-Version: 1.0
Content-Type: text/plain; charset=UTF-8; format=flowed
Content-Transfer-Encoding: 7bit
Injection-Date: Wed, 3 Jul 2024 06:15:48 -0000 (UTC)
Injection-Info: neodome.net; mail-complaints-to="abuse@neodome.net"
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:102.0) Gecko/20100101 Thunderbird/102.6.1
Bytes: 2872
Lines: 39

Apple Scrambles to Fix AirPods Flaw That Put Users at a Security Risk
https://www.headphonesty.com/2024/07/apple-fixes-airpods-flaw-users-risk/

Update your AirPods ASAP if you don't want to be eavesdropped on.

Apple recently faced another security challenge, prompting it to release an
urgent firmware update for AirPods and other wireless headphones. This
update addresses a severe vulnerability that allowed hackers to spoof
devices and eavesdrop on users, which was a big threat to user privacy.

The flaw, tracked as CVE-2024-27867, was discovered by security researcher
Jonas Dressler and was admitted by Apple on June 25, 2024.

It affects AirPods (2nd generation and later), AirPods Pro (all models),
AirPods Max, Powerbeats Pro, and Beats Fit Pro.

"When your headphones are seeking a connection request to one of your
previously paired devices, an attacker in Bluetooth range might be able to
spoof the intended source device and gain access to your headphones."
according to Apple.

In other words, while reconnecting to previously paired devices, hackers
could intercept the Bluetooth signal and mimic a trusted device. This
tricks the headphones into pairing with the attacker's device instead.

Once paired, the attacker could gain full control over the headphones. So,
they can eavesdrop on any audio played through the headphones, including
private conversations. This could lead to stealing sensitive info, whether
personal, work-related, or financial.

Apple, when notified of this security hole, realized their testing was
insufficient and their coding deficient such that the basic necessary
security checks were never thought of nor, as a result of Apple's
inattention, basic security tests were never implemented in AirPods.

The improved state management involves more careful checks when Bluetooth
pairing happens to make sure the device trying to connect is really one
that was approved before. This includes handling the info about previously
paired devices better so it's harder for attackers to copy the digital
signature of these devices.