In a recent alarming security discovery, security researchers from Germany's ERNW company have found serious vulnerabilities in millions of Bluetooth headphones and earbuds. These flaws allow hackers to eavesdrop on conversations, take control of devices, and access sensitive data—all without user authentication or pairing. This is considered a zero-day vulnerability because there is currently no patch available for end users.

Origin and Scope of Impact

Findings from the TROOPERS

These vulnerabilities were discovered by the ERNW security research team from Germany during their study of Bluetooth headphones and earbuds. The research findings were presented at the TROOPERS 2025 security conference with the topic "Headphone Jacking: A Key to Your Phone."

Airoha Chip

The vulnerabilities focus on the Bluetooth System-on-Chip (SoC) manufactured by Taiwan's Airoha company. Airoha is a major supplier in the Bluetooth audio sector, especially in the True Wireless Stereo (TWS) headphone area. These chips enable in-ear headphones to reproduce stereo sound from devices like smartphones without latency.

Vulnerability Classification

Three main vulnerabilities have been assigned CVE identifiers with varying levels of severity:

CVE	Detailed Description	CVSS	Severity Level
CVE-2025-20700	Missing authentication for the GATT (Generic Attribute Profile) service	8.8/10	High
CVE-2025-20701	Lack of authentication for Bluetooth BR/EDR (Basic Rate/Enhanced Data Rate)	8.8/10	High
CVE-2025-20702	The severe capability of the proprietary custom protocol	9.6/10	Extremely critical

Technical Mechanism

Protocol

The vulnerabilities stem from a robust custom protocol in Airoha's Bluetooth SoC chip. This protocol is designed to interact with the manufacturer's applications but lacks basic security measures.

Specifications:

Protocol exposure through both Bluetooth Low Energy (BLE) GATT and Bluetooth Classic (BR/EDR)
No authentication or device pairing required
Allows memory manipulation of the device's RAM and flash
Connects via RFCOMM channel in Bluetooth Classic

Attack Methodology

1. Attack Conditions

Physical proximity: The attacker only needs to be within Bluetooth range (usually about 10 meters)
No pairing needed: No authentication or pairing required
High skill level: Requires advanced technical skills to execute

2. Attacker Capabilities

Once successfully connected, a hacker can:

a) Access memory:

Read and write to the device's RAM
Access and modify flash memory
Read media information being played (song names, podcasts)

b) Hijack connection:

Copy Bluetooth encryption keys from the headphone memory
Impersonate the headphones to the paired smartphone
Hijack the trust relationship between devices

c) Control calls:

Initiate calls to any number
Block or reject incoming calls
Activate voice assistants (Siri, Google Assistant)

d) Eavesdrop and gather information:

Activate the microphone to eavesdrop
Extract phone numbers and contacts
Read call history (depending on configuration)

Attack Methods

1. Reading Current Media Information

Researchers have demonstrated the ability to read media information currently playing from the headphone's RAM. For example, they can identify the song being played, such as "Free Woman" by Lady Gaga.

Limitation: This attack needs to be customized for each headphone model and specific firmware version because memory addresses vary between devices.

2. Direct Eavesdropping

Technique 1 - Direct HFP Connection:

Establish a Bluetooth Hands-Free Profile (HFP) connection
Listen directly through the headphone's microphone
Drawback: Easily detected because the current connection is interrupted

Technique 2 - Device Impersonation:

Extract Bluetooth keys from flash memory
Impersonate the headphones to the smartphone
Initiate a call to the attacker's number
Eavesdrop on all sounds around the phone

3. Wormability Attack

Because devices can be identified through GATT services and have the ability to overwrite firmware, these vulnerabilities allow for the creation of exploits that can spread themselves between devices.

List of Affected Devices

Major Confirmed Brands

Sony (Most Affected Brand)

Flagship Line: WH-1000XM4, WH-1000XM5, WH-1000XM6
True Wireless: WF-1000XM3, WF-1000XM4, WF-1000XM5
Mid-range: WH-CH520, WH-CH720N, WH-XB910N
Budget: WI-C100, WF-C500, WF-C510-GFP
Latest: Link Buds S, ULT Wear

Marshall (Entire Product Line)

Bluetooth Speakers: Woburn III, Stanmore III, Acton III
Headphones: Major IV, Major V, Minor IV, Motif II

JBL

Live Buds 3, Endurance Race 2

Bose

QuietComfort Earbuds

Other Brands

Jabra: Elite 8 Active
Beyerdynamic: Amiron 300
Xiaomi: Redmi Buds 5 Pro
Teufel: Airy TWS 2
JLab: Epic Air Sport ANC
MoerLabs: EchoBeatz
EarisMax: Bluetooth Auracast Sender

Actual Impact Scale

According to researchers' estimates:

More than 100 types of devices could be affected
About 3 million devices are vulnerable worldwide
20% market share from major brands like Sony, Bose, JBL
Many manufacturers are unaware they are using Airoha chips

Important Note: Apple AirPods are not affected because they do not use Airoha chips, but Chinese copies might use this chip.

Risk Level

Main Target Audience

Although the vulnerability is technically severe, researchers emphasize that the actual attack is only meaningful for high-value targets:

High-Risk Groups:

Journalists and reporters investigating sensitive issues
Diplomats and government officials
Political activists and opposition
Employees in sensitive industries (defense, finance)
VIPs and celebrities

Limitations of the Attack

Mandatory Conditions:

Physical Proximity: Must be within Bluetooth range (~10m)
High Technical Skill: Cannot be executed by amateur attackers
Multiple Technical Steps: Must be executed perfectly without detection
Cannot Attack Over the Internet: Can only be executed directly

Real-World Scenarios:

In cafes, buses, the same building
Conferences, public events
Shared workspaces

Recommendations

For Individual Users

Immediate Measures:

Limit the use of Bluetooth headphones in sensitive environments
Unpair headphones from your smartphone
Turn off Bluetooth when not needed
Stay vigilant for unusual activities

Monitor Updates:

Regularly check the manufacturer's app
Update firmware as soon as available
Follow information from reputable security sources

For Businesses

Audit all Bluetooth devices in the organization
Update policies on personal device usage
Train employees about security risks
Monitor Bluetooth activity in sensitive environments

Conclusion

The Bluetooth vulnerability in Airoha chips represents one of the most serious security findings in the wireless audio field in 2025. With the ability to turn millions of headphones into eavesdropping devices without authentication, it serves as a warning about the importance of security in the IoT era.

Although the attack requires physical conditions and high skills, the potential impact on high-value targets is undeniable. This incident also highlights the need for comprehensive reform in the technology supply chain, from component transparency to improved security update processes.

For regular users, even though the risk of direct attack is low, raising awareness and keeping up with updates from the manufacturer is essential. For individuals and organizations in sensitive fields, temporarily stopping the use of Bluetooth headphones until an official patch is available is the safest measure.

Reference:

Serious Bluetooth Zero-Day Vulnerability: Millions of Headphones Could Be Turned Into Unauthenticated "Eavesdropping Devices"