Zero-day: Bluetooth gap turns millions of headphones into listening stations
The Bluetooth chipset installed in popular models from major manufacturers is vulnerable. Hackers could use it to initiate calls and eavesdrop on devices.
The connection between wireless headphones and smartphones is the target of the new Bluetooth attack.
(Image: Shutterstock/carballo)
A serious security vulnerability in many Bluetooth headphones allows attackers to read data from the devices remotely and take over connections. This was discovered by researchers from the German security company ERNW. They presented their discovery at this year's edition of the TROOPERS security conference. Millions of devices from various manufacturers are suspected to be affected; updates to resolve the problem are not yet available. Nevertheless, the researchers are reassuring: although attacks are possible, the target group for attacks is limited.
The vulnerabilities are located in Bluetooth SoC (System-on-Chip) from the Taiwanese manufacturer Airoha, which is particularly popular for “True Wireless Stereo” (TWS) headphones. Using Airoha chips, small in-ear headphones can reproduce stereo sound from playback devices such as smartphones without latency. Well-known manufacturers such as Sony, JBL, Marshall, and Bose use it in some cases, but also install Bluetooth technology from other suppliers.
Videos by heise
Airoha has given its Bluetooth chips a self-made protocol that enables manipulation of the working and flash memory of the devices via radio. The protocol, which is accessible via Bluetooth Low Energy (BLE) as well as via “classic” Bluetooth (BD/EDR), is presumably intended for interaction with manufacturer apps, but was also an invitation for curious security researchers. They were able to remotely take over headphones from various manufacturers – without logging into an app or the usual Bluetooth “pairing”. By gaining full access to the earbuds' flash and RAM, they were also able to take over the connections to other devices, such as the actual user's smartphone.
Eavesdropping, memory snooping and information leaks
By accessing the working memory of the Bluetooth chip, the researchers could initially read out which media the user was currently playing, such as a podcast or a piece of music. However, this attack is laborious: as the memory addresses differ from device to device, the researchers could not simply read out data at random in a crowded bus, but had to adapt their attack. On Android devices, the experts were also able to read the phone number of the device and incoming calls, sometimes even the call history and the phone's address book.
(Image: ENRW)
The researchers could take over the connection between the phone and the headphones by copying the cryptographic key of the Bluetooth connection from the headphones. Then they have many options – they can initiate or reject calls, launch voice assistants such as Siri and Gemini, and eavesdrop on the victim using multiple methods. An eavesdropping attack converts the headphones into bugs: The attackers impersonate the connected smartphone to the headphones and redirect the recorded sound from their microphone. However, as many wireless earbuds only maintain a connection to a single device, this attack is easy to detect. The victim suddenly stops hearing music or calls on their headphones and is likely to quickly become suspicious.
The second method simulates a headset on the phone and tricks it into making a call to the attackers. If the victim is not paying attention to their smartphone, the Bluetooth spies can now listen in to everything that happens within earshot of the device.
Even if these attacks seem frightening on paper, the ERNW researchers are reassuring: many conditions must be met to carry out an eavesdropping attack. First and foremost, the attacker(s) must be within range of the Bluetooth short-range radio; an attack via the Internet is not possible. They must also carry out several technical steps without attracting attention. And they must have a reason to eavesdrop on the Bluetooth connection, which, according to the discoverers, is only conceivable for a few target people. For example, celebrities, journalists or diplomats, but also political dissidents and employees in security-critical companies are possible targets.
Severity of the gaps disputed
There is disagreement between the discoverers and manufacturer Airoha about the severity of the vulnerabilities. While the former assumes one critical vulnerability (CVE-2025-20702, CVSS 9.6/10) and two high-risk vulnerabilities (CVE-2025-20700 and CVE-2025-20701, both CVSS 8.8/10), Airoha disagrees and argues with the complexity of the attacks and the lack of impact on the connected cell phone in their opinion.
Airoha has reserved a total of three CVE IDs for the vulnerabilities:
- CVE-2025-20702: CVSS 9.6/10 (risk “critical” disputed, see above): Critical features of the proprietary Airoha protocol
- CVE-2025-20700: CVSS 8.8/10 (risk “high”): Missing authentication for the GATT service
- CVE-2025-20701: CVSS 8.8/10 (risk “high”): Missing authentication for Bluetooth pairing
Affected: Millions of devices from Sony, JBL, and others
It is unclear how many devices worldwide are affected by the vulnerability. Attackers could potentially turn millions of devices into bugs or read their memory. As the researchers emphasize in their blog article, they have only been able to test a small proportion of all suspected affected Bluetooth headphone models. However, the following models are vulnerable in any case, although sometimes only with some attacks against Airoha chips.
| Manufacturer | Model |
| Beyerdynamic | Amiron 300 |
| Bose | Quiet Comfort Earbuds |
| earisMax | Bluetooth Auracast Sender |
| Jabra | Elite 8 Active |
| Xiaomi | Redmi Buds 5 Pro |
| Jlab | Epic Air Sport ANC |
| JBL |
Live Buds 3, Endurance Race 2 |
| Marshall | Woburn III, Stanmore III, Acton III, Major IV und V, Minor IV, Motiv II |
| MoerLabs | EchoBeatz |
| Sony | WH-1000XM{4,5,6}, WF-1000XM{3,4,5}, WH-CH520, WH-CH720N, WH-XB910N, WI-C100, WF-C510-GFP, WF-C500, Link Buds S, ULT Wear |
| Teufel | Airy TWS 2 |
The ERNW researchers suspect that over 100 different device types could be impacted. However, it is not possible for them to make a comprehensive assessment, as Airoha chips are installed undetected in many Bluetooth devices. The experts go on to explain that some manufacturers are not even aware that their devices contain the Taiwanese manufacturer's chips. They have outsourced some development to subcontractors. The major manufacturers, Sony, Bose, and JBL have a combined market share of 20 percent of the 1.4 billion headphones sold last year, but only a few of their models are vulnerable. Nevertheless, even if it is only one percent of total sales, this still amounts to around three million vulnerable devices.
Apple, the top dog among headphone manufacturers with a 22 percent market share, is not impacted this time (although it had its problems with its wireless headphones last year). Original AirPods do not contain Airoha chips, but various replicas from Chinese manufacturers, which are offered on online marketplaces of varying trustworthiness, do.
Insufficient response from manufacturers
In their presentation at the TROOPERS security conference, the discoverers criticized the manufacturer Airoha. Although Airoha promised on its information page for security researchers to respond within three to five days and to support PGP-encrypted emails, neither was the case. Although the security researchers sent detailed information about the vulnerability to Airoha as early as March 25 of this year, it took until the end of May — another two months — for the Taiwanese company to respond. Of the three headphone manufacturers contacted, only one responded to the security notice. Nevertheless, one week later, on June 4, 2025, Airoha provided its customers with updated software development kits (SDK) that corrected the error.
Updates? Unclear
However, it remains unclear whether – and when – Sony, JBL and co. will fix the vulnerability in firmware updates. During the research for this article, we checked the headphone models in the overview of affected devices provided to us by ERNW. We were unable to find any information on firmware updates for just under half of the devices, as these are only released to headphone owners via the manufacturer's app. For all other devices, the latest firmware is dated May 27, 2025, or older –, i.e., it was released before Airoha updated its SDK. This means that the bug has probably not yet been fixed on the vast majority of devices, and is therefore a “zero day”.
The researchers are therefore still holding back on details of the technical implementation or even a “proof of concept” exploit. These will follow as soon as manufacturer updates are available, and headphone owners can protect their devices against Bluetooth attacks. As a manufacturer's app is usually responsible for a firmware update, which is rarely or never used in everyday life, it is likely to take a long time before the bug is fixed. To make matters worse, some device types may no longer be manufactured and supplied with updates.
(cku)
