CERT-In Alert: Cybercriminals May Steal Your Headphones Without Your Knowledge and May Be Monitoring You
Researchers studying cybersecurity have found serious flaws in Bluetooth earbuds and headphones that use Airoha Systems on a Chip (SoCs). These vulnerabilities were reported by the cybersecurity company ERNW and showcased during this year's TROOPERS Conference. Both Bluetooth Low Energy (BLE) and Bluetooth BR/EDR (Classic) protocols are vulnerable, allowing hackers to obtain low-level memory access and perhaps take control of linked mobile devices without the necessity for pairing.

The Type of Vulnerabilities: Complete Access, No Pairing
The following vulnerabilities are listed under the upcoming CVE IDs:
CVE-2025-20700: GATT Services Lack Authentication
CVE-2025-20701: Bluetooth BR/EDR Authentication Is Missing
Abuse of Critical Capabilities in a Custom Protocol (CVE-2025-20702)
Researchers found that RFCOMM over Bluetooth Classic and BLE GATT disclose a robust internal protocol in many Airoha-powered devices. Without requiring authentication, this protocol enables read/write access to flash storage and RAM. In practical terms, this implies that an attacker within 10 meters of the device's Bluetooth range might possibly take control of the headphone, access personal information, or pose as the device to the phone it is associated with.
Impacted Devices: Entry-Level to Flagships
Numerous well-known headphone models are impacted by the extensive use of Airoha SoCs in the audio business. Device flaws from Sony, Marshall, Jabra, JBL, Bose, Teufel, and other manufacturers were verified by ERNW.
Among the verified models that are at risk are:
WF-1000XM3/XM4/XM5 Sony WH-1000XM4/XM5/XM6
Marshall Major V, WOBURN III, and MOTIF II
The Jabra Elite 8 Active
QuietComfort Earphones by Bose
Race 2 of JBL Endurance / Live Buds 3
Amiron 300 Beyerdynamic
Teufel TATWS2
This is a serious and pervasive issue because the flaws impact both flagship high-end gadgets and low-cost variants.
Attacks to Prove a Concept: From Call Hijacking to Eavesdropping
Researchers from ERNW presented a number of concerning assault scenarios:
Live eavesdropping is the practice of connecting to the device via the Hands-Free Profile (HFP) vulnerability in order to listen to microphone input, even when the user is unaware of it.
Media Snooping: Using live RAM data scraping to determine what audio content is playing at the moment.
Call Injection: Attackers can pose as headphones to a phone they have already paired, make calls, and possibly listen in on conversations around the phone by removing the Bluetooth link keys from the headphones.
Data extraction: Including contact information, phone numbers, and call logs in specific combinations.
Blind Spots in the Supply Chain and Wormability
Researchers cautioned that the vulnerabilities are wormable, meaning that malicious code might potentially move via Bluetooth from one device to another in addition to individual attacks. Additionally, some vendors are not aware that they are employing Airoha SoCs because of the disjointed hardware supply chain, particularly when modules are purchased from outside developers.
What Customers Need to Know: Could You Be in Danger?
Although the vulnerabilities are technically serious, close proximity is necessary for successful exploitation. Real-world attacks are probably more intricate and targeted than remote or random ones, yet Bluetooth has a limited range.
High-risk users consist of:
Political dissidents and journalists
Diplomats and government representatives
Leaders in delicate sectors
Before using the impacted headphones in delicate situations, experts advise the general public to disconnect Bluetooth pairings and wait for firmware updates.
Patch Status and Reaction from the Vendor
Early in June 2025, Airoha made a patched SDK available to vendors.
Firmware upgrades are increasingly integrated and distributed by device manufacturers.
To yet, suppliers have not publicly acknowledged any corrected firmware.
Consumers may be unaware that many lower-end or end-of-life items would never receive patches due to the sluggish patch delivery observed in previous SoC vulnerabilities.
Timeline for Disclosure (Summary)
Airoha received the first report of vulnerabilities on March 25, 2025.
April 2025: Researchers contact impacted vendors directly after receiving no response.
Airoha reacts on May 27, 2025, and synchronized mitigation gets underway.
SDK with fixes made available to suppliers on June 4, 2025.
In the upcoming months, ERNW is anticipated to provide a comprehensive technical analysis and whitepaper.
Bluetooth Security vs. Convenience
This revelation highlights a more serious problem with consumer electronics: cost and convenience sometimes take precedence above security. A wide variety of audio products are powered by Airoha's SoCs, but systemic flaws in secure development and supply chain transparency are reflected in their disclosure of potent low-level protocols without authentication.
Users, particularly those in high-risk occupations, should think twice before using Bluetooth audio devices in delicate environments until suppliers provide fixes.
What's Your Reaction?






