Bluetooth Headphones Compromised by Design
Recent security research uncovered serious flaws in Bluetooth headphones and earbuds powered by Airoha Systems on a Chip (SoCs). These vulnerabilities allow attackers within Bluetooth range to take full control of affected devices—no pairing, no permission, no interaction required. With many popular models affected, including Sony, Marshall, JBL and Bose, the scope is both widespread and urgent.
What Makes Airoha Vulnerabilities So Dangerous
Airoha is a key player in the Bluetooth audio market. Its SoCs are widely used in True Wireless Stereo (TWS) earbuds and headphones. Many manufacturers use Airoha’s reference SDK, sometimes without knowing the full implications. The vulnerabilities identified stem from how Airoha’s SDK implements communication protocols.
No Authentication, Full Access
Three CVEs will soon be published detailing critical weaknesses:
-
CVE-2025-20700: No authentication for GATT services (BLE)
-
CVE-2025-20701: No authentication for Bluetooth BR/EDR (Classic)
-
CVE-2025-20702: Overpowered custom protocol exposed
Attackers can read and write to RAM and flash memory without authentication. They can hijack existing trust relationships, manipulate data streams, and even impersonate the headphones to the user’s mobile device.
Attack Conditions Are Simple
The only requirement is Bluetooth proximity, typically under 10 meters. No pairing or prior access is needed. Once connected, the attacker gains low-level access to memory and firmware, allowing for a variety of exploits including:
-
Reading media metadata from RAM
-
Listening through the microphone
-
Impersonating headphones to a paired phone
-
Extracting call logs and contacts
-
Executing a wormable attack chain
Affected Devices: From Entry-Level to Flagship
The research confirmed vulnerabilities in numerous well-known models. Brands and devices include:
-
Sony: WH-1000XM5, WF-1000XM4, Link Buds S
-
Marshall: ACTON III, MOTIF II, MAJOR V
-
JBL: Endurance Race 2, Live Buds 3
-
Bose: QuietComfort Earbuds
-
Jabra: Elite 8 Active
-
Teufel, MoerLabs, EarisMax and more
This list is not exhaustive. Many products share the same SoC but are sold under different brands. Some vendors may be unaware they are using Airoha chips due to outsourced design or opaque component sourcing.
Threats to Privacy and Security
These vulnerabilities are not theoretical. Researchers successfully implemented proof-of-concept attacks that exploited memory reads and Bluetooth trust hijacking. A particularly concerning demonstration showed how an attacker could impersonate headphones, extract Bluetooth keys from memory, and use them to issue voice commands or make calls from a paired phone.
This technique allowed for:
-
Passive eavesdropping via hijacked calls
-
Covert recording through microphone access
-
Trust impersonation across devices
Such capabilities pose a high risk to individuals in sensitive roles: journalists, executives, diplomats or political dissidents. The average consumer is less likely to be targeted, but the underlying flaws affect everyone equally.
Bluetooth Attacks Remain Proximity-Based
While the vulnerabilities are severe, exploitation is not trivial. Attackers must be physically close—within the same room, bus, café or meeting space. Real-world attacks require high skill and specific tools. Nonetheless, the ease of discovery combined with lack of authentication makes opportunistic or targeted attacks plausible.
What Users Can Do
Until vendors release firmware patches, Bluetooth headphone users should take the following precautions:
-
Unpair vulnerable headphones from phones or laptops
-
Avoid using Bluetooth headphones in public places
-
Monitor vendor updates for firmware releases
-
If in a high-risk category, consider avoiding Bluetooth audio devices entirely
Organizations and high-value individuals should assess the use of such devices within secure environments. For stronger protection, our cybersecurity services offer tailored threat assessments and device audits.
Patching Is Underway, But Slow
Airoha released a fixed SDK to manufacturers in early June 2025. However, because vendors must individually build and distribute firmware updates, some products may remain vulnerable for weeks or months. As of publication, no fixed firmware has been released for public download.
This delay is a recurring issue in hardware supply chains. SoCs are embedded in hundreds of devices, often without clear visibility across stakeholders. Many vendors do not disclose which chips they use, making CVE traceability difficult.
The Bigger Picture: Supply Chain Security
This case highlights a persistent cybersecurity challenge: downstream hardware reuse and opaque integration make coordinated patching nearly impossible. Vulnerabilities discovered in a shared component ripple across countless brands and products, many of which are already on the market.
When vendors are unaware of the chips inside their own products, user trust and device security suffer. Better supply chain transparency, mandatory disclosure of component CVEs, and long-term firmware support are critical for improving consumer device security.
Final Thoughts
The Airoha Bluetooth vulnerabilities expose a troubling reality: even your headphones may be silently leaking access to your digital life. While the attacks require proximity and technical skill, the flaws are real, and the impact is severe for those who rely on Bluetooth headsets in sensitive contexts.
Patches are coming. But until then, caution is advised.
Read the full article from Insinuator.net here.
