Posted in News

Warning! Bluetooth Headphones Vulnerable — Airoha SoCs Open the Door

   30 June 2025

Recent security research has uncovered serious flaws in Bluetooth headphones and earbuds built on Airoha chipsets. These vulnerabilities affect a wide range of popular devices — from entry-level earbuds to flagship over-ear models — and put millions of users at risk. In this article, I’ll break down what’s been found, what attackers could potentially do, and how the patching process is (or isn’t) unfolding. The findings were publicly shared at this year’s TROOPERS Conference.

What’s the Issue?

Airoha, a major supplier in the Bluetooth audio space, provides both hardware (SoCs) and software SDKs that are widely adopted by major audio brands. Unfortunately, researchers found that a powerful internal protocol meant for development use remains exposed in production firmware — and it’s accessible without authentication over both BLE and Bluetooth Classic.

In short: attackers in Bluetooth range can gain full control of affected devices — no pairing required.

CVEs You Should Know

  • CVE-2025-20700: BLE GATT access with no authentication
  • CVE-2025-20701: BR/EDR (Bluetooth Classic) access with no authentication
  • CVE-2025-20702: Dangerous debug protocol left exposed

The protocol allows for memory manipulation (RAM/flash), hijacking connections, extracting credentials, and more.

Confirmed Vulnerable Devices

The list below includes only devices that were directly tested and confirmed as vulnerable. However, this is likely just the tip of the iceberg — many other products using the same SoCs are probably affected too.

✅ Confirmed Affected Devices:

  • Beyerdynamic
    • Amiron 300
  • Bose
    • QuietComfort Earbuds
  • Earis
    • EarisMax Bluetooth Auracast Sender
  • Jabra
    • Elite 8 Active
  • JBL
    • Endurance Race 2
    • Live Buds 3
  • JLab
    • Epic Air Sport ANC
  • Marshall
    • ACTON III
    • MAJOR V
    • MINOR IV
    • MOTIF II
    • STANMORE III
    • WOBURN III
  • MoerLabs
    • EchoBeatz
  • Sony
    • CH-720N
    • Link Buds S
    • ULT Wear
    • WF-1000XM3
    • WF-1000XM4
    • WF-1000XM5
    • WF-C500
    • WF-C510-GFP
    • WH-1000XM4
    • WH-1000XM5
    • WH-1000XM6
    • WH-CH520
    • WH-XB910N
    • WI-C100
  • Teufel
    • TATWS2

Some devices may only be vulnerable to a subset of the issues, depending on firmware version or vendor-specific modifications. In at least one case, a manufacturer appears to have accidentally mitigated two of the vulnerabilities.

What Can an Attacker Do?

This isn’t about bad audio quality — this is about full system control.

Capabilities include:

  • Reading RAM: Extract information like what media is currently playing
  • Mic Access: Hijack Bluetooth audio profiles to eavesdrop
  • Trust Hijacking: Impersonate the headphones to a previously paired phone
  • Command Injection: Make calls or access contacts via spoofed profiles
  • Firmware Manipulation: Install malicious code or create self-spreading “worms”

The only requirement is proximity — Bluetooth range (~10 meters).

Real-World Scenarios

Let’s be clear — this isn’t an internet worm. You won’t get popped while scrolling Spotify in bed. But the threat becomes very real if you’re:

  • A journalist, political dissident, or whistleblower
  • Working in sensitive government or corporate roles
  • A VIP or frequent conference attendee

For high-value targets, the possibility of stealthy surveillance, call injection, or contact theft is real.

The Supply Chain Nightmare

The bigger issue here? The Bluetooth audio ecosystem is a black box:

  • Device manufacturers often don’t know what chipsets their modules use
  • Airoha SDKs are reused across hundreds of models
  • Debug features were left open, and nobody noticed — or cared
  • Many devices lack update mechanisms altogether

Even with a fix in hand, some devices might never get patched.

Patch Status

Airoha released an updated SDK with fixes on June 4, 2025. From there, it’s up to each vendor to:

  1. Integrate the fix into their firmware
  2. Build and test new versions
  3. Deliver updates to end users

As of now, no vendors have confirmed public firmware updates. It could take weeks… or never happen at all for cheaper or end-of-life products.

Disclosure Timeline (Summarized)

  • Mar 25 – ERNW reports issue to Airoha
  • Apr 24 – No response; vendors contacted directly
  • May 27 – First contact from Airoha
  • Jun 4 – SDK fix released to vendors
  • Jun 26 – Public disclosure at TROOPERS

TL;DR

  • Airoha-powered Bluetooth devices have critical flaws
  • Attackers can hijack headphones without pairing
  • Confirmed affected: Sony, Marshall, Bose, JBL, Jabra, and more
  • Real threat for high-value targets in Bluetooth range
  • Fixes exist at SDK level, but no device patches yet
  • For now:
    • Unpair affected devices
    • Avoid Bluetooth use in sensitive settings
    • Wait (and hope) for firmware updates

Subscribe to the channel: youtube.be/@AngryAdmin 🔥

🚨Dive into my blog: angrysysops.com

🚨Snapshots 101: a.co/d/fJVHo5v

🌐Connect with us:

💻Website: angrysysops.com

🔥vExpert info: vExpert Portal

Please leave the comment