Imagine attackers hijacking your smartphone without pairing or consent—just because your Bluetooth headphones are nearby. That’s the reality behind three critical vulnerabilities disclosed in millions of Airoha-based audio devices, affecting popular brands like Sony, Marshall, JBL, Jabra, and Bose.
These flaws allow attackers to extract cryptographic link keys, impersonate trusted headphones, and gain privileged access to your phone—triggering voice assistants, intercepting calls, and even eavesdropping on conversations.
In this article, you’ll learn:
- What these vulnerabilities are and how they work
- Which devices are affected
- The attack chain explained
- Practical steps to protect yourself
- Why vendor patch adoption matters
Vulnerability Overview
Researchers identified three CVEs impacting Airoha chipsets:
| CVE ID | Vulnerability | Severity | Transport |
|---|---|---|---|
| CVE-2025-20700 | Missing Authentication for GATT Services (BLE) | Critical | Bluetooth Low Energy |
| CVE-2025-20701 | Missing Authentication for Bluetooth BR/EDR | Critical | Bluetooth Classic |
| CVE-2025-20702 | Critical Capabilities in RACE Protocol | Critical | USB, BLE, Classic |
Root Cause:
Airoha’s RACE (Remote Audio Call Enhancement) protocol—a custom debugging interface—was exposed over Bluetooth without authentication, creating a silent entry point for attackers.
How the Attack Works
Researchers demonstrated a four-step attack chain:
- Silent Connection: Attacker connects to vulnerable headphones via unprotected BLE.
- Key Extraction: Bluetooth Link Key is pulled from flash memory.
- Device Impersonation: Attacker impersonates trusted headphones to victim’s smartphone.
- Privilege Abuse: Trigger voice assistants, intercept calls, access contacts, and eavesdrop.
Impact:
- No pairing required
- No user interaction
- Works within Bluetooth range (~10 meters)
Affected Devices
Confirmed vulnerable models include:
- Sony WF-1000XM series
- Marshall speakers
- JBL earbuds
- Beyerdynamic headphones
- And many more—over 30 models confirmed, thousands likely affected globally.
Why This Matters
Bluetooth is everywhere—headphones, cars, IoT devices. These flaws show how peripheral security weaknesses can compromise primary devices like smartphones.
Risks include:
- Privacy breaches: Eavesdropping on calls and conversations
- Account compromise: Triggering voice assistants for unauthorized actions
- Data exposure: Accessing contacts and call logs
Vendor Response
- Airoha released SDK patches (June 2025)
- Jabra and Marshall acknowledged firmware fixes
- Sony initially silent, Beyerdynamic proactive
- Many vendors still lagging in patch adoption
How to Protect Yourself
- Update firmware immediately (check vendor sites or apps)
- Remove unused paired devices from your phone
- Disable Bluetooth when not in use
- Consider wired headphones for sensitive conversations
- Use the RACE Toolkit to verify vulnerability status
Best Practices for Enterprises
- Enforce Bluetooth hardening policies on corporate devices
- Monitor for unusual Bluetooth connections
- Include peripheral security in risk assessments
- Push vendors for timely patch adoption
Compliance & Standards
- NIST SP 800-121 (Guide to Bluetooth Security)
- ISO/IEC 29147 (Vulnerability Disclosure)
- OWASP IoT Top 10 (Bluetooth security risks)
FAQs
What is the Airoha Bluetooth vulnerability?
Critical flaws in Airoha chipsets allow attackers to connect silently to headphones and compromise smartphones.
Which brands are affected?
Sony, Marshall, JBL, Jabra, Bose, and others using Airoha chipsets.
How do attackers exploit this?
By extracting Bluetooth link keys and impersonating trusted headphones to gain access to the phone.
How can I protect myself?
Update firmware, remove unused devices, disable Bluetooth when not needed, and use the RACE Toolkit.
Conclusion
The Airoha Bluetooth vulnerabilities are a stark reminder: peripheral security matters. Attackers don’t need to break your phone—they can start with your headphones. Update now, audit your devices, and stay ahead of emerging threats.
