CVE-2024-27867 Overview
CVE-2024-27867 is an authentication bypass vulnerability affecting Apple AirPods, AirPods Pro, AirPods Max, Beats Fit Pro, and Powerbeats wireless audio devices. The vulnerability stems from improper state management in the Bluetooth authentication process, allowing an attacker within Bluetooth range to spoof a previously paired device and gain unauthorized access to the target headphones.
When affected headphones are actively seeking a connection request to one of the user's previously paired devices, an attacker positioned within Bluetooth range can impersonate the legitimate source device. This exploitation allows the attacker to establish an unauthorized connection, potentially enabling eavesdropping on audio communications or injecting audio content.
Critical Impact
Attackers within Bluetooth range can spoof trusted devices and gain unauthorized access to Apple wireless headphones during the connection handshake phase, potentially compromising audio communications and privacy.
Affected Products
- Apple AirPods (2nd generation and later) with firmware prior to 6A326
- Apple AirPods Pro (all models) with firmware prior to 6A326/6F8
- Apple AirPods Max with firmware prior to 6A326/6F8
- Apple Beats Fit Pro with firmware prior to 6F8
- Apple Powerbeats Pro with firmware prior to 6F8
Discovery Timeline
- 2024-06-26 - CVE-2024-27867 published to NVD
- 2024-12-10 - Last updated in NVD database
Technical Details for CVE-2024-27867
Vulnerability Analysis
This authentication bypass vulnerability (CWE-287) exists in the Bluetooth pairing and reconnection logic of Apple's wireless audio device firmware. The flaw allows an attacker to exploit the device during the window when headphones are actively seeking connections to previously paired devices.
The attack requires physical proximity to the target device, as Bluetooth operates within a typical range of approximately 10 meters (33 feet), though this can extend further with specialized equipment. The attack can be conducted without any user interaction and does not require prior authentication, making it particularly concerning for users in public spaces or shared environments.
The vulnerability enables unauthorized information disclosure, as attackers could potentially monitor audio streams or microphone data being transmitted through the compromised connection. While the immediate impact is limited to confidentiality concerns, the nature of audio devices means sensitive conversations could be intercepted.
Root Cause
The root cause of CVE-2024-27867 lies in inadequate state management within the Bluetooth authentication mechanism. During the connection establishment phase, the firmware fails to properly validate and verify the identity of devices claiming to be previously paired. This allows an attacker to craft spoofed connection requests that mimic legitimate trusted devices.
The vulnerability specifically manifests when the headphones transition from an idle state to actively seeking a connection with known devices. During this state transition, the authentication checks can be bypassed by presenting crafted Bluetooth identifiers that match those of legitimate paired devices.
Attack Vector
The attack exploits the adjacent network (Bluetooth) attack vector, requiring the attacker to be within wireless range of the target device. The attack flow proceeds as follows:
- The attacker identifies target AirPods or Beats headphones in pairing/connection mode
- The attacker monitors Bluetooth traffic to identify the MAC addresses and identifiers of previously paired devices
- The attacker spoofs the identity of a trusted paired device by crafting malicious Bluetooth packets
- The headphones accept the spoofed connection request due to improper state validation
- The attacker gains unauthorized access to the audio device, potentially enabling eavesdropping or audio injection
The attack requires no user interaction and can be performed silently without alerting the victim. Tools for Bluetooth packet capture and spoofing are readily available, lowering the technical barrier for exploitation.
Detection Methods for CVE-2024-27867
Indicators of Compromise
- Unexpected or unauthorized Bluetooth connections appearing in paired device lists
- Audio interruptions or unexplained disconnections from legitimate paired devices
- Reports of hearing unexpected audio or experiencing microphone activation without user initiation
- Multiple rapid connection/disconnection events in Bluetooth logs
Detection Strategies
- Monitor enterprise mobile device management (MDM) solutions for firmware version compliance on Apple audio accessories
- Implement Bluetooth traffic analysis in high-security environments to detect spoofing attempts
- Establish baseline Bluetooth connection patterns and alert on anomalous behavior
- Deploy network-level Bluetooth monitoring in sensitive facilities to detect rogue device activity
Monitoring Recommendations
- Enable automatic firmware updates for all Apple audio accessories through connected iOS/macOS devices
- Conduct regular audits of paired Bluetooth devices on user equipment to identify unauthorized pairings
- Implement security awareness training regarding the risks of using wireless audio devices in sensitive environments
- Consider deploying Bluetooth intrusion detection systems in high-security areas
How to Mitigate CVE-2024-27867
Immediate Actions Required
- Update AirPods (2nd generation and later) to firmware version 6A326 or later
- Update AirPods Pro (all models) to firmware version 6A326 or 6F8
- Update AirPods Max to firmware version 6A326 or 6F8
- Update Beats Fit Pro and Powerbeats Pro to firmware version 6F8
- Verify firmware versions through iOS Settings > Bluetooth > [Device] > About
Patch Information
Apple has released firmware updates to address this vulnerability with improved state management in the Bluetooth authentication process. The patches are available through the following firmware versions:
- AirPods Firmware Update 6A326 - For AirPods 2nd generation and later
- AirPods Firmware Update 6F8 - For AirPods Pro and AirPods Max
- Beats Firmware Update 6F8 - For Beats Fit Pro and Powerbeats Pro
Firmware updates are delivered automatically when the audio devices are connected to an iOS or macOS device with an internet connection. Users can verify the current firmware version and manually trigger updates by placing the devices in their charging case near the paired iPhone or iPad. For detailed update instructions, refer to the Apple Support Article.
Workarounds
- Disable Bluetooth on paired devices when in untrusted environments to prevent automatic connection attempts
- Keep AirPods/Beats in their charging case when not in active use to prevent unauthorized pairing attempts
- Remove unknown or suspicious devices from the Bluetooth paired devices list regularly
- Avoid using vulnerable audio devices for sensitive communications until firmware updates are applied
- Consider using wired audio alternatives in high-security environments until patching is complete
# Verify AirPods/Beats firmware version on macOS
# Open System Settings > Bluetooth > Click (i) next to device name
# Or use System Information
system_profiler SPBluetoothDataType | grep -A 10 "AirPods\|Beats"
# On iOS: Settings > Bluetooth > Tap (i) next to device > About
# Ensure firmware version is 6A326 or 6F8 depending on device model
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
