Apple has unveiled a firmware update for AirPods that could enable a malicious actor to achieve access to the headphones in an unauthorized manner.
Tracked as CVE-2024-27867, the authentication issue affects AirPods (2nd era and later), AirPods Pro (all designs), AirPods Max, Powerbeats Pro, and Beats Suit Pro.
“When your headphones are in search of a relationship ask for to a single of your beforehand paired products, an attacker in Bluetooth variety may well be ready to spoof the meant resource unit and attain obtain to your headphones,” Apple mentioned in a Tuesday advisory.
In other text, an adversary in bodily proximity could exploit the vulnerability to eavesdrop on non-public discussions. Apple mentioned the issue has been resolved with enhanced state administration.
Jonas Dreßler has been credited with getting and reporting the flaw. It has been patched as aspect of AirPods Firmware Update 6A326, AirPods Firmware Update 6F8, and Beats Firmware Update 6F8.
The growth arrives two weeks following the iPhone maker rolled out updates for visionOS (edition 1.2) to close out 21 shortcomings, including 7 flaws in the WebKit browser engine.
One particular of the issues pertains to a logic flaw (CVE-2024-27812) that could result in a denial-of-services (DoS) when processing web content. The dilemma has been set with improved file dealing with, it said.
Security researcher Ryan Pickren, who noted the vulnerability, explained it as the “world’s 1st spatial computing hack” that could be weaponized to “bypass all warnings and forcefully fill your place with an arbitrary quantity of animated 3D objects” sans consumer interaction.
The vulnerability normally takes edge of Apple’s failure to utilize the permissions model when using the ARKit Rapid Look function to spawn 3D objects in a victim’s space. Producing matters even worse, these animated objects continue on to persist even just after exiting Safari as they are managed by a individual software.
“Moreover, it does not even need this anchor tag to have been ‘clicked’ by the human,” Pickren stated. “So programmatic JavaScript clicking (i.e., doc.querySelector(‘a’).click()) works no trouble! This usually means that we can launch an arbitrary selection of 3D, animated, audio-generating, objects without the need of any consumer conversation in anyway.”
Identified this post appealing? Follow us on Twitter and LinkedIn to study a lot more unique content material we publish.
Some parts of this article are sourced from:
thehackernews.com