New Bluetooth Flaws Expose Users to Eavesdropping and Data Theft
Cybersecurity researchers have unveiled critical vulnerabilities within a widely used Bluetooth chipset, potentially exposing users of over two dozen popular audio devices to eavesdropping and data theft. The flaws found in Airoha Systems-on-a-Chip (SoCs) could allow skilled attackers to hijack connections, listen in on conversations, and even extract sensitive phone data.
Widespread Impact Across Major Brands
The vulnerabilities affect 29 devices, including speakers, earbuds, headphones, and wireless microphones, from ten prominent vendors: Beyerdynamic, Bose, Sony, Marshall, Jabra, JBL, Jlab, EarisMax, MoerLabs, and Teufel.
Details of the Vulnerabilities
Disclosed at the TROOPERS security conference in Germany by researchers from cybersecurity firm ERNW, the issues stem from three specific vulnerabilities:
- CVE-2025-20700 (Medium Severity, 6.7): Missing authentication for GATT services.
- CVE-2025-20701 (Medium Severity, 6.7): Missing authentication for Bluetooth BR/EDR.
- CVE-2025-20702 (High Severity, 7.5): Critical capabilities of a custom protocol.
Potential Attack Scenarios
While these vulnerabilities are not classified as critical on their own and require both close physical proximity (within Bluetooth range) and a “high technical skill set” to exploit, the potential attack scenarios are concerning. ERNW researchers demonstrated a proof-of-concept exploit that allowed them to read currently playing media from targeted headphones.
More alarmingly, by leveraging these bugs, a threat actor could hijack the Bluetooth connection between a mobile phone and an audio device. Using the Bluetooth Hands-Free Profile (HFP), attackers could issue commands to the phone, potentially initiating calls to arbitrary numbers after extracting Bluetooth link keys from the vulnerable device’s memory. Depending on the phone’s configuration, call history and contacts could also be retrieved. The researchers successfully initiated calls and “eavesdrop on conversations or sounds within earshot of the phone.”
Furthermore, there’s a theoretical risk that the vulnerable device’s firmware could be rewritten, enabling remote code execution and potentially facilitating a “wormable” exploit capable of spreading across multiple devices.
Limitations and Mitigation Efforts
Despite the serious nature of these attack scenarios, ERNW researchers emphasise that practical implementation at scale is challenging due to the need for both technical sophistication and physical proximity. This limits such attacks to high-value targets, such as individuals in diplomacy, journalism, activism, or sensitive industries.
Airoha has since released an updated Software Development Kit (SDK) with necessary mitigations, and device manufacturers have begun the process of developing and distributing patches. However, a report from German publication Heise indicates that firmware updates for more than half of the affected devices were released before Airoha delivered the updated SDK to its customers, suggesting many devices may still be unpatched.
