return to table of content

AirPods fast connect security vulnerability

schrodinger
24 replies
19h36m

Obviously any vulnerability is bad, but I'm trying to understand just how bad this one is. What "scary" things could an attacker do?

It doesn't sound like they could listen in on a phone call you're having without your knowledge, or even an audio stream, since it breaks the original connection, right? So is the worst they could do is come within a pretty short distance of you, scan for your mac address, and the auto-connect and play some noise into your ears? Or is there more?

I suppose you could do something like take over the airpods of a high-level celebrity or politician while they're on a video call, that could be bad (but caught instantly). Anything worse?

etbebl
18 replies
19h29m

A lot of people wear airpods around even if they're not actively using them, right? So if that's the case, you could use the microphone to eavesdrop on an in-person conversation. Although since it has to be within Bluetooth range, might be easier to just eavesdrop normally.

anamexis
10 replies
19h12m

A lot of people wear airpods around even if they're not actively using them, right?

Do they?

cozzyd
4 replies
17h1m

Yes they do, and they look as ridiculous as you think

KawaiiCyborg
3 replies
7h23m

How would you as an observer tell if somebody is using their AirPods to listen to music or whether they're just in their ears for noise cancellation and thus "look ridiculous"?

sambazi
2 replies
3h28m

that's the point: i can't tell and that is uneasing

KawaiiCyborg
1 replies
3h16m

I don't understand why yet. Why is it important to you to know whether someone is listening to music or not? Why do you need to be able to tell at all?

recursive
0 replies
2h47m

It indicates whether you would be interrupting if you tried to talk to them.

stirlo
3 replies
19h11m

Yes. They’re easy to just leave in your ears and go about your day

cpuguy83
2 replies
18h46m

Especially with the loud noise suppression.

charrondev
1 replies
16h21m

For me it’s the opposite. They have a “transparency” feature that works lets through ambient noise.

I often wear one set to transparency when I’m alone and have a podcast going or something. Ideal for something like a grocery store but still leaves me with full awareness. They also detect if I start speaking and automatically pause whatever is playing.

dagmx
0 replies
3h51m

Loud noise suppression works with transparency mode. You might be thinking of the similarly named noise cancellation mode which works opposite to transparency.

Loud noise suppression does a temporary switchover when a loud noise happens to try and protect your hearing.

crazygringo
0 replies
14h36m

Depends on what is meant by "not actively using them".

I use mine in noise-cancelling mode all the time, without music/podcasts/anything. But the noise-cancelling is definitely active.

Always when I'm in the subway, along busy streets full of honking and emergency vehicles, and so forth.

Makes urban life much more tolerable.

Brajeshwar
6 replies
15h1m

This is a weird behavior and it seems people, these days, consider this normal! I usually stop talking if someone wears a headphone and give them the opportunity to finish listening to whatever they are listening to. How do one talk to someone whose ears are blocked by plugged-in headphones (even if they are passive, which I won't know).

I believe it is a courtesy to remove one's headphone when talking to another person.

SoftTalker
2 replies
13h37m

Same. If I see someone has earphone/airpods in I don't speak to them. I'll indicate with gestures "take your earphones out" if they are trying to talk to me.

kortilla
1 replies
11h37m

Why would you do that if they are actively talking to you? You know some people use them to hear better, right?

sambazi
0 replies
3h30m

some do, most don't.

wearing headphones gives way to the assumption that the person is listening to something other than their surroundings; their talking is probably directed at someone on the phone.

hearing aids can be used as headphones as well, but generally aren't.

jan_Inkepa
0 replies
7h13m

I was careful to not bother a friend's father at a gathering because he seemed to be listening to something on his AirPods. Only after did my friend let me know he uses them in hearing aid mode (didn't know that was a thing!) to hear better. (Father won't admit he needs hearing aids, but is happy to use AirPods to assist. )

danielheath
0 replies
12h35m

Personally, I can't filter out background noise properly.

This means I can understand a conversation _much_ more clearly if I'm wearing active noise cancelling headphones. Yes, it makes _you_ quieter, but it also means I'm not trying to pick out your speech from complicated background noises.

alwillis
0 replies
2h37m

I believe it is a courtesy to remove one's headphone when talking to another person.

Social norms change over time; expecting someone to remove headphones will become less of a thing in day to day life.

AirPods Pro 2nd generation supports the Conversation Awareness feature that lowers the volume of what the person is listening to and raises the volume of the person speaking automatically when it's enabled.

Apple is expected to be approved by the FDA for some uses as a hearing aid [1] and they have patents for adding medical monitoring in future AirPods [2].

So when we're talking to someone wearing AirPods as times goes on, we won't know if they actually need the AirPods to assist them in being able to function in the world.

[1]: https://arstechnica.com/gadgets/2024/03/apples-airpods-pro-c...

[2]: https://applemagazine.com/apple-patents-suggest-future-airpo...

withinboredom
2 replies
12h30m

Worst case, someone could create a device they drop in your bag that records everything from your headphones. Maybe even in the shape of a USB drive or something. I believe the "fast connect" protocol allows you to be "connected" to more than one device at a time, so you likely wouldn't even notice. Another attack would be to set "coffee coasters" around an office as a janitor, that snagged audio from any nearby pods.

Essentially, you basically have the hard part done for any bugs, you just need to build a device with a little battery, a BT transmitter, and storage; then you've got high quality audio near where anyone is speaking.

tlb
1 replies
9h44m

They could also just drop a device with a microphone in your bag and listen to both sides of every conversation. Involving bluetooth seems like an extra complication.

withinboredom
0 replies
7h39m

Microphones in a bag don’t have great pickup and are obvious once found. Something electronic? Everyone has that laying around.

swatcoder
0 replies
18h17m

Obvious ones are that an attacker could play a damagingly loud noise, could eavesdrop on your in-person environment if you're wearing the AirPods without using them, as many do, or could masquerade as a caller without actually using a call service or leaving call records.

It also provides a straightforward avenue for further chains of exploit, if some were known to the attacker, since taking over the bluetooth connection represents a pretty wide channel of opportunity.

Gigachad
0 replies
19h31m

Realistically the worst thing is just being annoying. If it was left unpatched, someone would make an airpod jammer app for the flipper zero and cause annoyance in public places killing the audio on everyones airpods.

jessriedel
13 replies
16h41m

Its main purpose seems to be reducing the time it takes to establish a connection between two Apple devices from roughly 1 second down to about 0.5 seconds.

With this trick, they can establish that both devices are speaking the Fast Connect protocol without violating the Bluetooth specification, and then go on to exchange 3 more back-and-forth messages, negotiating all the things necessary to fully connect the two devices.

The fact that this only takes 4 messages back-and-forth in total is what makes Fast Connect fancy, because usually in Bluetooth the phase of wiring up the individual channels for a connection is quite a complex negotiation and involves sending various SDP descriptors that describe which protocols/features both sides support.

Two devices in the same room communicating over even a very narrow slice of the electromagnetic spectrum could exchange many thousands of messages per second. What is it about Bluetooth that causes each message to take a hundred milliseconds rather than, say, a microsecond? What is setting the timescale for this process?

vlovich123
12 replies
16h21m

Not sure if that’s the case here but typically it’s a combination of:

* How frequently the advertising device is sending out a beacon (for WiFi the typical beacon is every 100ms which should be similar for BT but it’s been a while since I worked on either)

* there may be multiple advertising channels (I think BT smartly picked 1 or a very small number but annoyingly WiFi didn’t restrict the channel the beacon could be sent on which is a disaster for 5ghz since there’s so many - not sure if they fixed it in 6ghz)

* for back compat, the beacon is sent at the slowest speed of the protocol as is the handshake. So for example your 600mbps WiFi channel actually beacons and does the handshake at 10mbps (or whatever the negotiation speed is specified to be) because you need to start at the minimum speed to negotiate the higher speed while retaining back compat. Similar thing happens with USB3.0 which does a USB1 initial handshake.

* noise in the environment can cause PHY retransmissions to be needed.

So basically PHY handshaking to determine what capability exists on both sides to know which PHY protocol to talk to each other.

ricw
6 replies
14h26m

All of this above. The biggest contributing factor though is that the radio will be off for 99% or more of the time when not actively sending, in order to save energy. This means you also need to wait for that <1% beacon/listening window to connect. And it’s not unlikely that you get interference / a bad transmission just at that time, so double or triple the wait time.

Or in short: It’s caused by saving energy and interference.

jessriedel
1 replies
4h7m

You can have a device listening only 1% of the time while only waiting a millisecond. Just listen for 10 microseconds and energy-save for 1 millisecond. Why aren’t they doing that?

brookst
0 replies
3h38m

Probably back to the lowest common denominator of speed.

128 bytes at Bluetooth 1’s 1mbit speed is 1ms.

comboy
1 replies
8h18m

This makes sense for idle devices, but say airpods know they have been opened (or other bluetooth headset can be actively listening for a few seconds after power up), and on the other device you explicitely click connect on already discovered divice. I also don't understand why these connections are not 1ms even for devices which were not paired previously.

szundi
0 replies
6h56m

You don’t press connect on the other device. You just put the AirPods in your ears and damm, good to go at once.

cactusplant7374
1 replies
5h11m

I don’t mind using more energy. Are there any other implications for spamming a beacon?

rcxdude
0 replies
5h3m

You interfere with other devices, especially any others that have the same idea.

Sesse__
1 replies
10h18m

So for example your 600mbps WiFi channel actually beacons and does the handshake at 10mbps (or whatever the negotiation speed is specified to be)

802.11 beacons are sent at the lowest basic rate configured for the network, which in the old days was 1 Mbit/sec, but it's entirely possible to simply not advertise that in the beacon (it's commonly done in larger networks, as you don't want clients to be eating airtime by sending such slow packets), and then the beacon goes out at whatever higher rate. The association can be done at any rate the client wants to, as far as I know, as long as it is listed in the beacon.

vlovich123
0 replies
1h57m

Yes, you can drop older clients in which case the advertising rate is higher (not sure how clients can handle becomes at arbitrary speeds but it does seem to work). However BT does not provide for this kind of control.

IshKebab
1 replies
6h3m

BLE is 3 advertising channels. IIRC they are dedicated to advertising. There are something like 40 other channels used for data (and it uses all of them via frequency hopping).

vlovich123
0 replies
1h55m

Correct. BLE is sane, 5ghz WiFi is insane with > 100 data channels and all of them can beacon. I really don’t understand why the WiFi alliance doesn’t learn from BT here. Maybe there are technical reasons like WiFi is always becoming so they need more channels to spread over in an urban environment? Still seems a bit silly.

jessriedel
0 replies
1h36m

How frequently the advertising device is sending out a beacon

Fine, but then the immediate question is: why is it sending out a beacon so rarely?

for back compat, the beacon is sent at the slowest speed of the protocol as is the handshak

Fine, but then why was the protocol ever so slow? Electromagnetism hasn’t changed much.

there may be multiple advertising channels

Fine, but why are they all so slow?

rock_artist
10 replies
21h55m

That’s because AirPods auto-update their firmware by themselves, but only when they’re used together with an iPhone or MacBook, so Android users have no easy way to update their firmware.

From what I remember, advantage of affected Beats devices which also use same chip is they can actually be updated from the beats app on Android

nuccy
9 replies
21h9m

I use Airpods Pro (1st before and now 2nd gen) with Android phones. And indeed no way to update firmware from Android, no way to check firmware version, no way to select modes, no way to change long press behaviour, no way to check battery level (there are third party apps but they work unreliably). Luckily all that can be done on Mac (except fitting test, which requires iPhone only), though the firmware upgrade process is as confusing as it can possibly be - a user has zero control whatsoever and zero information about status/progress.

One of the support team members in an Apple Store once suggested: you need to leave AirPods connected to the Mac inserted into open case, which is plugged and charging for about 30 minutes to upgrade the firmware. Though in my experience there is definitely a random factor in play for such an upgrade. Moreover I have an impression that even Apple Store employees sometimes have very vague idea how Apple products interplay with any other Apple product excepting the iPhone. Two times I had hardware issue with 1st and 2nd gen Airpods they were very confused that I don't use those with iPhone but with a Mac and Android only.

Rinzler89
4 replies
11h30m

>no way to update firmware from Android, no way to check firmware version

To be fair, even on iOS you can't manually trigger a firmware update as Apple in their infinite wisdom decided that's too complicated for the average user, and to make things simpler for them, firmware updates just happen automagically™.

When do they happen? Whenever they fee like it. Just keep your phoner and Airpods close to each other and it will happen eventually, some time. Or not, if you have an error that causes the process to silently fail and the user will have no idea and no way to manually trigger the update or debug it, because that would ruin the AM (Apple Magic™).

jen729w
3 replies
10h22m

Apple in their infinite wisdom decided that's too complicated for the average user

It absolutely is too complicated for the average user.

No sarcasm whatsoever. 100% sincere comment. ‘The average user’ has utterly no clue about this sort of thing, and nor should they be expected to.

geon
2 replies
9h46m

The part before your quote, that you cut off is important.

even on iOS you can't manually trigger a firmware update as

Having the option to manually trigger an update, and seeing the progress would not affect the average user at all.

szundi
1 replies
6h54m

Less features, less complexity.

Rinzler89
0 replies
3h1m

Less features also results into worse UX sometimes. There's a point of diminishing returns, and Apple of recent loves to keep crossing over it, by removing useful features such as being able to trigger a FW updates when the user wants to instead of waiting around for it to maybe happen.

dbg31415
3 replies
14h53m

I had 3 sets of AirPods. 2 upgraded inside of an hour by leaving them connected to my MacBook, while they were charging and the AirPod cases were open.

One didn't upgrade. Annoying.

I left it for about 4 hours.

Anyway, you can force an upgrade by hitting "forget this device" and then re-pairing it. As soon as you do, the firmware will upgrade.

geon
1 replies
9h44m

How do you even know when an upgrade needs to be done?

shzhdbi09gv8ioi
0 replies
2h54m

Compare firmware version of your AirPods with the advisory.

Select the AirPods under Bluetooth on your iPhone, firmare version is shown as "Version".

Angostura
0 replies
11h8m

Useful tip. Thank you

sebazzz
5 replies
8h24m

So my Airpods 2 have an outdated firmware version, but as a user I can't explicitly have iOS update the firmware, and there is no indication when an update happens. I wish I would have more control.

GeekyBear
1 replies
5h55m

Firmware updates are delivered automatically while your AirPods are charging and in Bluetooth range of your iPhone, iPad, or Mac that's connected to Wi-Fi.

https://support.apple.com/en-us/106340

cpncrunch
0 replies
3h21m

I dont think that is the full story, as my airpods didnt auto update when simply within range, as they werent connected to the device, so therefore no way to actually download the update.

You need to connect to a device via bluetooth for 5 mins (e.g. just open case when close to device if it is configured to autoconnect). Then close the case and leave for 15 mins. Then connect again and check version.

recursive
0 replies
2h50m

I wish I would have more control.

Apple products may not be for you.

alwillis
0 replies
2h27m

As more features get added to current and future AirPods, I'd like the ability to trigger an update or at least be notified if one happens.

I get it—95%+ of AirPods users shouldn't have to know about firmware updates. But for those of us who do care about these things, there should be someway to monitor what's happening.

It usually doesn't matter but I have experienced delays in getting AirPods firmware by a couple of days. There could be a time in the future when getting a firmware update ASAP does matter.

MuffinFlavored
0 replies
4h34m

I’d be down to invest time reverse engineering this. It would be fun.

hsbauauvhabzb
5 replies
15h23m

I’ve got numerous gripes with AirPods under Linux - range doesn’t seem as good as my phone (I’ve tried multiple dongles etc), I wasn’t aware that you could connect to two devices but now I want that, when the microphone is enabled audio sounds absolutely trash. Oddly enough, the connect speed annoyed me but not as much as the other issues.

Are there any alternative headphones that solve all three of these well? I just want a headset that works.

ungamedplayer
1 replies
13h47m

If you find something that sounds high quality while the microphone is in use, please document your findings. I feel like there are no good options.

hsbauauvhabzb
0 replies
5h44m

To be clear, the microphone sounds good, sound output is garbage.

rwmj
1 replies
10h1m

I can tell you I absolutely could not get my fancy Sony WH-1000XM5 to connect reliably for more than a few seconds to desktop Linux, so not those ones. (They work fine for Android)

hsbauauvhabzb
0 replies
5h45m

Fwiw I have found recent distros with later versions of pipewire to be ‘better’. I also have one BT USB adapter which will establish a connection, but be totally non functional after the connection sound.

paulmd
0 replies
12h26m

how much do you know about bluetooth device and codec profiles? ooh, boy, I envy you, you see, the bluetooth connection was never about the bluetooth at all...

https://en.wikipedia.org/wiki/List_of_Bluetooth_profiles

(absolutely there is some codec that apple licenses that you as a linux user don't and don't get etc, this is some profile thing they're doing and honestly that's just the price of linux. Free as in free from HDMI 2.1 support. And fraunhofer, and Dolby, and MPEG-LA licensing. Being willing to pay the $2 per device for the licenses has its perks.)

zeroz
1 replies
20h18m

Settings > Bluetooth > Your AirPods (click on [i]) shows the version, even if AirPods are not actively connected.

6A326 seems to be the version including the fix.

https://support.apple.com/en-us/HT214111

mh-
0 replies
19h32m

>AirPods Firmware Update 6A326, AirPods Firmware Update 6F8, and Beats Firmware Update 6F8

I'm on 6F8, which I presume is for AirPods Pro 2nd gen.

diebeforei485
1 replies
20h54m

There is no manual update option. Auto-update is the only way to update, and it's unclear how to cajole it to auto-update.

Operyl
0 replies
20h52m

If I recall correctly, removing/unpairing the AirPods and forcing a re-pair will forcibly trigger an update.

bagels
1 replies
19h23m

One more advantage of wired headphones in addition to them not running out of batteries.

rwmj
0 replies
10h1m

As well as being able to connect reliably. Bluetooth on Linux is a disaster.

worstspotgain
0 replies
16h18m

The Apple Support link given in the article is for what looks like the Indian version. Here's the US version:

https://support.apple.com/en-us/106340

The US version shows different version numbers for the latest firmware, e.g. for the Airpods Pro 2nd Gen it's 6F8, while in India it's 6B34.

resource_waste
0 replies
7h38m

Hard to think of a company with as poor security as Apple. No one else hits the headlines as much and creates so much real world consequences.

nubinetwork
0 replies
8h0m

Its main purpose seems to be reducing the time it takes to establish a connection between two Apple devices from roughly 1 second down to about 0.5 seconds

Oh no, I'll never get that 0.5 seconds back... /s

cjk2
0 replies
20h35m

I didn't even know about this vulnerability and mine are updated. Just how I like things.

a1o
0 replies
22h26m

Very nice write-up

... see if I could get all the functionality working on Linux as well. ... I’ll talk about the specifics in another blog post ...

I am super curious to read when you do write-up about implementation of this functionality in Linux! Thanks for that and I will refresh the blog until that is written :)

StrLght
0 replies
20h57m

I understand that chances are pretty slim but I still hope that this will make Apple do something regarding AirPods updates on other OSes or at least on Android.