CERT-In Alert: Cybercriminals May Steal Your Headphones Without Your Knowledge and May Be Monitoring You

The Type of Vulnerabilities: Complete Access, No Pairing

 The following vulnerabilities are listed under the upcoming CVE IDs:

CVE-2025-20700: GATT Services Lack Authentication
CVE-2025-20701: Bluetooth BR/EDR Authentication Is Missing
Abuse of Critical Capabilities in a Custom Protocol (CVE-2025-20702)

 Researchers found that RFCOMM over Bluetooth Classic and BLE GATT disclose a robust internal protocol in many Airoha-powered devices.  Without requiring authentication, this protocol enables read/write access to flash storage and RAM.  In practical terms, this implies that an attacker within 10 meters of the device's Bluetooth range might possibly take control of the headphone, access personal information, or pose as the device to the phone it is associated with.

Impacted Devices: Entry-Level to Flagships
 Numerous well-known headphone models are impacted by the extensive use of Airoha SoCs in the audio business.  Device flaws from Sony, Marshall, Jabra, JBL, Bose, Teufel, and other manufacturers were verified by ERNW.

 Among the verified models that are at risk are:

 WF-1000XM3/XM4/XM5 Sony WH-1000XM4/XM5/XM6

 Marshall Major V, WOBURN III, and MOTIF II

 The Jabra Elite 8 Active

 QuietComfort Earphones by Bose

 Race 2 of JBL Endurance / Live Buds 3

 Amiron 300 Beyerdynamic

 Teufel TATWS2

This is a serious and pervasive issue because the flaws impact both flagship high-end gadgets and low-cost variants.

Attacks to Prove a Concept: From Call Hijacking to Eavesdropping

 Researchers from ERNW presented a number of concerning assault scenarios:

 Live eavesdropping is the practice of connecting to the device via the Hands-Free Profile (HFP) vulnerability in order to listen to microphone input, even when the user is unaware of it.

 Media Snooping: Using live RAM data scraping to determine what audio content is playing at the moment.

 Call Injection: Attackers can pose as headphones to a phone they have already paired, make calls, and possibly listen in on conversations around the phone by removing the Bluetooth link keys from the headphones.

 Data extraction: Including contact information, phone numbers, and call logs in specific combinations.

Blind Spots in the Supply Chain and Wormability

 Researchers cautioned that the vulnerabilities are wormable, meaning that malicious code might potentially move via Bluetooth from one device to another in addition to individual attacks.  Additionally, some vendors are not aware that they are employing Airoha SoCs because of the disjointed hardware supply chain, particularly when modules are purchased from outside developers.

What Customers Need to Know: Could You Be in Danger?

 Although the vulnerabilities are technically serious, close proximity is necessary for successful exploitation.  Real-world attacks are probably more intricate and targeted than remote or random ones, yet Bluetooth has a limited range.

 High-risk users consist of:

 Political dissidents and journalists
 Diplomats and government representatives
 Leaders in delicate sectors
 Before using the impacted headphones in delicate situations, experts advise the general public to disconnect Bluetooth pairings and wait for firmware updates.

Patch Status and Reaction from the Vendor

 Early in June 2025, Airoha made a patched SDK available to vendors.
 Firmware upgrades are increasingly integrated and distributed by device manufacturers.

 To yet, suppliers have not publicly acknowledged any corrected firmware.

 Consumers may be unaware that many lower-end or end-of-life items would never receive patches due to the sluggish patch delivery observed in previous SoC vulnerabilities.

Timeline for Disclosure (Summary)

 Airoha received the first report of vulnerabilities on March 25, 2025.

 April 2025: Researchers contact impacted vendors directly after receiving no response.

 Airoha reacts on May 27, 2025, and synchronized mitigation gets underway.

 SDK with fixes made available to suppliers on June 4, 2025.

 In the upcoming months, ERNW is anticipated to provide a comprehensive technical analysis and whitepaper.

Bluetooth Security vs. Convenience

 This revelation highlights a more serious problem with consumer electronics: cost and convenience sometimes take precedence above security.  A wide variety of audio products are powered by Airoha's SoCs, but systemic flaws in secure development and supply chain transparency are reflected in their disclosure of potent low-level protocols without authentication.

 Users, particularly those in high-risk occupations, should think twice before using Bluetooth audio devices in delicate environments until suppliers provide fixes.