JBL Live 780NC Headphones Enable Auracast on iOS via App, Bypassing Apple Restrictions
What Happened – JBL’s new Live 780NC over‑ear headphones include an in‑app Auracast feature that lets users discover and join Bluetooth LE Audio broadcasts directly from the JBL Headphones app. This circumvents Apple’s current iOS limitation, which blocks native Auracast support.
Why It Matters for TPRM –
- The workaround creates a new attack surface for audio‑stream interception or spoofing on iOS devices.
- Vendors that rely on Apple’s “closed” ecosystem may need to reassess the security implications of third‑party audio broadcast access.
- Third‑party risk managers should verify that any broadcast‑related data (e.g., voice, location) is encrypted and that the app follows secure development practices.
Who Is Affected – Consumer electronics manufacturers, audio‑hardware vendors, enterprise environments that provision headphones for remote workers, and any organization that permits iOS devices to connect to Bluetooth LE Audio streams.
Recommended Actions –
- Review JBL’s app security posture (code signing, data encryption, permission model).
- Validate that Auracast broadcasts are authenticated and that only authorized streams are accessible.
- Update internal device‑use policies to include guidance on third‑party audio broadcast features.
Technical Notes – The feature leverages Bluetooth LE Audio’s Auracast broadcast capability, which is normally gated by iOS. No CVEs or known vulnerabilities are disclosed, but the added software layer could be exploited if the app mishandles broadcast discovery or authentication. Source: ZDNet Security