Bluetooth bug turns popular headphones into eavesdropping devices

A newly disclosed set of Bluetooth vulnerabilities in Airoha audio devices could allow attackers to eavesdrop on users, hijack connections, and extract sensitive information — all without the victim's permission.

 

What is the Bluetooth headset vulnerability?

Security researchers at ERNW have disclosed vulnerabilities that highlight serious authentication issues in both the Bluetooth Classic and BLE (Bluetooth Low Energy) services used by the Airoha System-on-Chip (SoC). Affected devices include some of the most popular headphones and earbuds on the market, such as those from Sony, Bose, JBL, Jabra, Marshall, Beyerdynamic, and others.

While you may not have heard of Airoha, based on the list of headphone manufacturers above, you've definitely used the company's hardware built into many other products.

 

There are 3 main problems:

1. CVE-2025-20700: Missing authentication for GATT Services
2. CVE-2025-20701: Missing authentication for Bluetooth BR/EDR
3. CVE-2025-20702: Custom Protocol Critical Capability

One of the bugs (CVE-2025-20702) has been rated as near critical (CVSS 9.6), making this a high priority issue for security-conscious manufacturers and users.

Combined, these vulnerabilities could allow an attacker to turn a Bluetooth headset into an eavesdropping device, effectively using the headset's onboard microphone as a recording device. One attack method allowed the researchers to redirect audio, allowing them to hear the listener's surroundings. A second attack exploited the relationship between paired Bluetooth devices, giving the paired device commands to make a secret call or extract data from the device.

 

Are your Bluetooth headphones at risk?

Now, here's why you shouldn't worry too much about this Bluetooth vulnerability: Exploits require an attacker to be physically close. Because of the way Bluetooth works—a short-range wireless connection—this is unlikely to be exploited at scale.

The ERNW report identifies the following types of headphones as vulnerable:

Trademark	Product Name
Beyerdynamic	Amiron 300
Bose	QuietComfort Earbuds
EarisMax	Bluetooth Auracast Sender
Jabra	Elite 8 Active
JBL	Endurance Race 2, Live Buds 3
Jlab	Epic Air Sport ANC
Marshall	ACTON III, MAJOR V, MINOR IV, MOTIF II, STANMORE III, WOBURN III
MoerLabs	EchoBeatz
Sony	CH-720N, Link Buds S, ULT Wear, WF-1000XM3, WF-1000XM4, WF-1000XM5, WF-C500, WF-C510-GFP, WH-1000XM4, WH-1000XM5, WH-1000XM6, WH-CH520, WH-XB910N, WI-C100
Teufel	Tatws2

But with the Airoha chipset powering millions of Bluetooth audio devices, there are potentially millions of vulnerable devices.

How to keep Bluetooth headphones safe

The biggest piece of security advice is to keep an eye out for any upcoming firmware updates for your Bluetooth headphones or earbuds. Airoha has released fixes for the vulnerabilities, but according to a June 25, 2025 ERNW report, 'we are not aware of any fixed firmware releases.'

 

Headset manufacturers may be preparing to release the fix along with other fixes as part of a regular patch program, but the fix is ​​on the way.

Until manufacturers release confirmed patches, users of affected headsets should:

1. Check for firmware updates using the official app
2. Disconnect and discontinue use of affected models in sensitive environments.
3. Always be aware of security recommendations from your headphone brand

While exploiting the vulnerability requires technical expertise and physical proximity, the discovery highlights the growing security implications of consumer electronics. With headphones now serving as gateways for digital assistants, calls, and music, a vulnerability like this could pose a serious privacy threat.