Bluetooth Vulnerabilities Let Hackers Spy on Your Headphones and Earbuds

A major security flaw affecting millions of Bluetooth headphones and earbuds has been discovered, allowing attackers to remotely hijack devices and spy on users without requiring any authentication or pairing. 

Summary
1. Critical flaws affect millions of Bluetooth headphones from Sony, Marshall, Bose using Airoha chips - attackers only need 10-meter proximity.
2. No pairing required - hackers exploit BLE GATT and RFCOMM protocols to control device memory completely.
3. Microphone eavesdropping, contact/call theft, unauthorized calls, potential malware spread between devices.
4. Fixes available to manufacturers since June 2025, but no public firmware updates released yet.

The vulnerabilities, identified by cybersecurity researchers at ERNW, affect devices using Airoha Systems on a Chip (SoCs) and impact popular brands including Sony, Marshall, Beyerdynamic, and Bose.

Critical Flaws Enable Complete Device Takeover

The security advisory reveals three critical vulnerabilities such as:

• CVE-2025-20700 (Missing Authentication for GATT Services)
• CVE-2025-20701 (Missing Authentication for Bluetooth BR/EDR)
• CVE-2025-20702 (Critical Capabilities of a Custom Protocol)

These flaws expose a powerful custom protocol through BLE GATT (Bluetooth Low Energy Generic Attribute Profile) and RFCOMM channels via Bluetooth Classic, allowing attackers to read and write device RAM and flash memory without any authentication.

The vulnerabilities affect both Bluetooth BR/EDR (Bluetooth Classic) and Bluetooth Low Energy (BLE) connections, requiring only that attackers be within Bluetooth range of approximately 10 meters. 

Once exploited, hackers can execute sophisticated attacks, including reading currently playing media from device RAM, establishing unauthorized HFP (Hands-Free Profile) connections to eavesdrop through microphones, and extracting Bluetooth link keys from flash memory to impersonate trusted devices

Major Brands and Models Affected

The research confirms vulnerabilities across a wide range of consumer audio devices, from entry-level to flagship models. 

Affected devices include multiple Sony models such as the WH-1000XM4, WH-1000XM5, WF-1000XM5, and WF-C500. Marshall’s entire product line appears compromised, including the ACTON III, MAJOR V, MINOR IV, and STANMORE III speakers. 

Other confirmed vulnerable devices include the Beyerdynamic Amiron 300, Bose QuietComfort Earbuds, Jabra Elite 8 Active, and various JBL models.

The scope extends beyond consumer headphones to include wireless speakers, dongles, and professional audio equipment. 

Many manufacturers remain unaware that their devices use vulnerable Airoha SoCs, as Bluetooth modules are often outsourced during development.

Airoha released SDK updates with security mitigations to device manufacturers in early June 2025, but no firmware updates have been publicly released yet. 

The company’s response came after a 90-day disclosure period, during which researchers attempted multiple contact methods before receiving acknowledgment. 

The vulnerabilities create a “wormable” exploit scenario where compromised devices could potentially spread malware to other vulnerable devices through their GATT services and characteristics.

While the technical barriers for exploitation remain high, requiring proximity and advanced technical skills, the vulnerabilities pose significant risks for high-value targets, including journalists, diplomats, and VIPs. 

Users are advised to monitor their device manufacturers’ websites for firmware updates and consider removing Bluetooth pairings if they believe their device may be targeted.

Investigate live malware behavior, trace every step of an attack, and make faster, smarter security decisions -> Try ANY.RUN now