Cybersecurity researchers have identified critical vulnerabilities in Bluetooth headphones and earbuds built using Airoha Systems on a Chip (SoCs). These vulnerabilities were presented during this year’s TROOPERS Conference and documented by the cybersecurity firm ERNW. The flaws affect both Bluetooth Low Energy (BLE) and Bluetooth BR/EDR (Classic) protocols, enabling attackers to gain low-level access to memory and potentially hijack connected mobile devices—all without needing to pair.
The Nature of the Vulnerabilities: No Pairing, Full Access
The vulnerabilities, cataloged under the future CVE IDs:
- CVE-2025-20700: Missing Authentication for GATT Services
- CVE-2025-20701: Missing Authentication for Bluetooth BR/EDR
- CVE-2025-20702: Abuse of Critical Capabilities in a Custom Protocol
Researchers discovered that many Airoha-powered devices expose a powerful internal protocol through BLE GATT and RFCOMM over Bluetooth Classic. This protocol allows read/write access to RAM and flash storage—all without requiring authentication. In real-world terms, this means an attacker within Bluetooth range (~10 meters) could potentially hijack the headphone, access private data, or impersonate the device to its paired phone.
Algoritha: The Most Trusted Name in BFSI Investigations and DFIR Services
Impacted Devices: Flagships to Entry-Level
Due to the widespread use of Airoha SoCs in the audio industry, many popular headphone models are affected. ERNW confirmed vulnerabilities in devices from Sony, Marshall, Jabra, JBL, Bose, Teufel, and others.
Some confirmed vulnerable models include:
- Sony WH-1000XM4 / XM5 / XM6 / WF-1000XM3/XM4/XM5
- Marshall MAJOR V, MOTIF II, WOBURN III
- Jabra Elite 8 Active
- Bose QuietComfort Earbuds
- JBL Endurance Race 2 / Live Buds 3
- Beyerdynamic Amiron 300
- Teufel TATWS2
The vulnerabilities affect both high-end flagship devices and budget models, making this a widespread and urgent concern.
Proof-of-Concept Attacks: From Eavesdropping to Call Hijacking
ERNW researchers demonstrated several alarming attack scenarios:
- Live Eavesdropping: Using the vulnerability to create a Hands-Free Profile (HFP) connection with the device and listen to microphone input—even without the user’s knowledge.
- Media Snooping: Reading what audio content is currently playing by scraping live RAM data.
- Call Injection: By extracting Bluetooth link keys from the headphones, attackers can impersonate the headphones to a previously paired phone, initiate calls, and potentially eavesdrop on conversations near the phone.
- Data Extraction: Including phone numbers, contacts, and call history under certain configurations.
Wormability and Supply Chain Blind Spots
Beyond individual attacks, researchers warned the flaws are wormable—malicious code could theoretically spread from one device to another over Bluetooth. Furthermore, due to the fragmented hardware supply chain, some vendors are unaware they are using Airoha SoCs, especially when modules are sourced from third-party developers.
What Consumers Should Know: Are You at Risk?
While the vulnerabilities are technically severe, successful exploitation requires proximity. Bluetooth range is limited, and real-world attacks would likely be targeted and complex, not random or remote.
High-risk users include:
- Journalists and political dissidents
- Government officials and diplomats
- Executives in sensitive industries
For the general public, experts recommend removing Bluetooth pairings and waiting for firmware patches before continuing to use affected headphones in sensitive contexts.
Patch Status and Vendor Response
- Airoha released a patched SDK to vendors in early June 2025.
- Device manufacturers are now responsible for integrating and distributing firmware updates.
- As of now, no fixed firmware has been publicly confirmed by vendors.
Given the slow patch delivery seen in past SoC vulnerabilities, there is concern that many lower-end or end-of-life products may never receive updates, leaving consumers unknowingly exposed.
Disclosure Timeline (Summary)
- March 25, 2025: Vulnerabilities first reported to Airoha.
- April 2025: No response; researchers reach out to affected vendors directly.
- May 27, 2025: Airoha responds; coordinated mitigation begins.
- June 4, 2025: SDK with patches released to vendors.
A full technical breakdown and whitepaper are expected from ERNW in the coming months.
Bluetooth Convenience vs Security
This disclosure underscores a deeper issue in consumer electronics: security is often overlooked in favor of convenience and cost. Airoha’s SoCs power a vast range of audio products, but their exposure of powerful low-level protocols without authentication reflects systemic gaps in secure development and supply chain transparency.
Until vendors release patches, users—especially those in high-risk professions—should reconsider the use of Bluetooth audio devices in sensitive settings.