CVE-2024-2104 is a vulnerability classified under CWE-306 (Missing Authentication for Critical Function) found in the JBL LIVE PRO 2 True Wireless Stereo (TWS) earbuds. The root cause lies in improper Bluetooth Low Energy (BLE) security configurations on the device's Generic Attribute Profile (GATT) server. Specifically, the device fails to enforce authentication for critical control commands exposed via the mobile app service over BLE. This allows an attacker in physical proximity (adjacent attacker) to connect to the earbuds without any authentication or user interaction and issue arbitrary read and write commands. Such unauthorized access can lead to manipulation of device functions, including disabling or rendering the earbuds unusable, thus impacting device availability. The CVSS 3.1 base score is 8.8 (high severity), reflecting high impact on confidentiality, integrity, and availability, with low attack complexity, no privileges required, and no user interaction needed. The vulnerability affects all versions of the LIVE PRO 2 TWS product. Although no exploits are currently known in the wild, the ease of exploitation and critical impact make this a significant risk. The vulnerability highlights the importance of proper BLE security configurations, including enforcing authentication and authorization on GATT services that control device functionality.

For European organizations, this vulnerability poses risks primarily in environments where JBL LIVE PRO 2 TWS earbuds are used for communication, audio playback, or other operational purposes. An attacker could disrupt employee communications by rendering devices unusable, causing productivity loss. Confidential information transmitted or stored on the device could be exposed or manipulated, impacting data confidentiality and integrity. The lack of authentication means attackers can exploit the vulnerability without prior access or user interaction, increasing the attack surface in shared or public spaces such as offices, conference rooms, or public transport. Critical sectors such as finance, government, and healthcare, where secure communications are essential, may face elevated risks. Additionally, the vulnerability could be leveraged as part of a broader attack chain targeting endpoint devices. The absence of known exploits currently limits immediate widespread impact, but the potential for future exploitation necessitates proactive mitigation.

1. JBL should release a firmware update that properly enforces authentication and authorization on all BLE GATT server functions controlling device behavior. Users must apply these updates promptly. 2. Organizations should inventory and monitor the use of JBL LIVE PRO 2 TWS earbuds within their environment and restrict their use in sensitive areas until patched. 3. Implement Bluetooth device management policies that limit pairing and connections to trusted devices only, using device whitelisting where possible. 4. Employ physical security controls to reduce the risk of adjacent attackers gaining proximity, such as restricting unauthorized personnel access to sensitive workspaces. 5. Monitor Bluetooth traffic for anomalous connection attempts or unusual command patterns targeting audio devices. 6. Educate users about the risks of using vulnerable Bluetooth peripherals and encourage reporting of suspicious device behavior. 7. Consider alternative audio devices with stronger security postures in high-risk environments until the vulnerability is resolved.