Hackers Exploit Bluetooth Flaws to Eavesdrop via Headphones and Earbuds
In a major security revelation, researchers have uncovered critical vulnerabilities in millions of Bluetooth headphones and earbuds, enabling hackers to eavesdrop on conversations, hijack devices, and access sensitive data—all without user authentication or pairing.
The flaws, discovered by German security firm ERNW and presented at the TROOPERS security conference, affect Bluetooth chips produced by the Taiwanese manufacturer Airoha.
The vulnerabilities have been assigned the following CVE identifiers:
| CVE Number | Description | Severity (CVSS) | Link to CVE Data |
| [CVE-2025-20700] | Missing Authentication for GATT Services | 8.8 (High) | [CVE-2025-20700]1 |
| [CVE-2025-20701] | Missing Authentication for Bluetooth BR/EDR | 8.8 (High) | [CVE-2025-20701]5 |
| [CVE-2025-20702] | Critical Capabilities of a Custom Protocol | 9.6 (Critical) | [CVE-2025-20702]62 |
While the technical severity is high, researchers emphasize that successful attacks require the hacker to be physically close to the target—within Bluetooth range.
These chips are widely used in popular True Wireless Stereo (TWS) devices from leading brands such as Sony, JBL, Bose, Marshall, and others.
The vulnerabilities stem from a proprietary protocol within Airoha’s Bluetooth System-on-Chip (SoC), which, when exploited, allows attackers to manipulate device memory and connections remotely.
How the Attack Works
The vulnerabilities expose a powerful custom protocol via both Bluetooth Low Energy (BLE) and Bluetooth Classic (BR/EDR).
Critically, no authentication or pairing is required—an attacker simply needs to be within Bluetooth range (typically about 10 meters) of a vulnerable device. Once connected, hackers can:
- Read and write device RAM and flash memory
- Hijack trust relationships with paired smartphones
- Eavesdrop on conversations by activating the device’s microphone
- Initiate or intercept phone calls
- Extract phone numbers and contact lists from connected phones
Researchers demonstrated that by exploiting these flaws, they could impersonate headphones to a paired smartphone and trigger calls, effectively turning the headphones into a remote listening device.
Affected Devices
The vulnerabilities impact a wide range of products, from entry-level to flagship models. Confirmed affected devices include:
- Sony: WH-1000XM4, WH-1000XM5, WH-1000XM6, WF-1000XM3/4/5, WH-CH520, WH-CH720N, WH-XB910N, WI-C100, WF-C510-GFP, WF-C500, Link Buds S, ULT Wear
- Marshall: Woburn III, Stanmore III, Acton III, Major IV/V, Minor IV, Motif II
- JBL: Live Buds 3, Endurance Race 2
- Bose: QuietComfort Earbuds
- Jabra: Elite 8 Active
- Beyerdynamic: Amiron 300
- Others: MoerLabs EchoBeatz, Teufel Airy TWS 2, Jlab Epic Air Sport ANC, EarisMax Bluetooth Auracast Sender, Xiaomi Redmi Buds 5 Pro
Due to supply chain complexity, the full list of affected devices is likely much larger, as many manufacturers use Airoha chips without always disclosing it.
The attack is not feasible over the internet and demands a high technical skill set. Most at risk are high-value targets such as journalists, diplomats, and individuals in sensitive industries.
Airoha has released updated SDKs to manufacturers, but as of now, no firmware updates are publicly available for end users.
The patching process is complicated by the fragmented supply chain and the fact that many brands may not even be aware they use vulnerable chips.
- Temporarily avoid using Bluetooth headphones in sensitive environments
- Remove headphone pairing from their smartphones
- Monitor for firmware updates from device manufacturers
As wireless audio devices proliferate, this incident highlights the urgent need for robust security practices in the Bluetooth ecosystem.
Find this News Interesting! Follow us on Google News, LinkedIn, and X to Get Instant Updates
Source link
