Bluetooth Vulnerabilities Let Hackers Spy on Your Headphones and Earbuds

Main Takeaways

• Critical vulnerabilities in Airoha chip-based devices permit full control over device memory (RAM/flash) via BLE GATT and RFCOMM without any pairing.
• Affected brands include Sony, Bose, Marshall, Beyerdynamic, JBL, etc.
• Fixes were supplied to manufacturers in June 2025, but no firmware updates have been made public yet.

Researchers at ERNW found flaws affecting Bluetooth audio devices (headphones, earbuds, speakers) using Airoha SoCs (System on Chips).
The vulnerabilities allow an attacker within ~10 meters to exploit Bluetooth Low Energy (BLE) GATT, Bluetooth Classic (RFCOMM), and a custom protocol to:

• Read/write device memory (RAM/flash).
• Extract Bluetooth link keys (used to authenticate/bond devices).
• Impersonate trusted devices.
• Establish unauthorized hands-free (HFP) connections to eavesdrop via microphone.

Scope

Some of the affected models include:

• Sony: WH-1000XM4, WH-1000XM5, WF-1000XM5, WF-C500
• Marshall: ACTON III, MAJOR V, MINOR IV, STANMORE III
• Bose QuietComfort Earbuds; Beyerdynamic Amiron 300; Jabra Elite 8 Active; plus various JBL models.
• Wireless speakers, dongles, and pro audio gear are also impacted. Often manufacturers weren’t aware their devices used vulnerable Airoha chips.

Vulnerability Details:

CVE	Name / Description	Impact	CVSS Score
CVE-2025-20700	Missing Authentication for GATT Services	Read/write device memory; access sensitive data	8.8 (High)
CVE-2025-20701	Missing Authentication for Bluetooth BR/EDR	Full device takeover over Classic Bluetooth	8.8 (High)
CVE-2025-20702	Critical Capabilities of a Custom Protocol	Full RAM & flash access, link key extraction, impersonation potential	9.6 (Critical)

These vulnerabilities let attackers operate without being paired to or recognized by the Bluetooth device. Just proximity is sufficient.

Impact

• Eavesdrop via the mic (Hands-Free Profile)
• Listen in on what the device is playing (media) or trick the device to play/stop/share media
• Extract stored link keys to impersonate the device or gain persistent access even after disconnects
• Spread malware to other nearby vulnerable devices via GATT services (“wormable” behavior)

High-value individuals (journalists, diplomats, business leaders) are especially at risk.

Mitigation

• Monitor the device maker’s website or support portal for firmware updates.
• Remove Bluetooth pairing if you suspect your device may be targeted.
• Limit device Bluetooth exposure; turn off Bluetooth when not needed.
• Use devices in environments where nearby attackers are less likely.
• Check for unusual behavior: unexpected voice transmission, unknown connections, etc.