Bluetooth Flaws Could Let Hackers Spy Through Your Microphone | Vulnerabilities in Airoha Chips Explained

Table of Contents

• Why this matters
• The vulnerabilities
• Attack flow in the wild
• Mitigation status
• What you can do right now
• Bigger picture: Bluetooth’s long tail of risk
• Conclusion
•  Frequently Asked Questions (FAQs)

Bluetooth security just took a hit. Three newly disclosed flaws in Airoha Bluetooth chips let an attacker in radio range hijack popular headphones, earbuds, speakers — and even spy on the smartphone that’s paired to them. Below is a practical rundown of what happened, which devices are at risk, and what you can do while vendors roll out fixes.

Why this matters

• 29 products from ten well‑known brands (Bose, Sony, Jabra, JBL, Beyerdynamic, Marshall, Teufel, JLab, EarisMax, MoerLabs) embed the vulnerable Airoha SoC.

• A successful attack lets a hacker read what you’re listening to, trigger calls, grab contacts or call history, and eavesdrop through the phone’s microphone without ever pairing to the headset.

  
  

• Although exploitation requires Bluetooth‑range proximity (~10 m) and solid reverse‑engineering skills, the stakes are high for journalists, diplomats, executives, or anyone handling sensitive calls.

The vulnerabilities

ERNW researchers unveiled proof‑of‑concept code at TROOPERS 25 showing how they pulled the currently playing song from a Bose headset, then escalated to dial an arbitrary number from the victim’s phone and listen in.

Attack flow in the wild

1. Get close – The attacker sits in a café or boarding gate within Bluetooth range.

2. Sniff & identify – They spot the Airoha chipset’s MAC fingerprint.

3. Memory dump – Using CVE‑2025‑20702 they extract the Bluetooth link keys stored in the headset.

   
   

4. Impersonate the device – The phone reconnects to the attacker’s rogue hardware.

5. Issue HFP commands – Calls are placed or answered silently; contacts and history are pulled via AT commands.

6. Listen live – Conversation audio is streamed to the attacker. If firmware rewriting is possible, a wormable payload could spread the exploit to every nearby vulnerable headset.

Mitigation status

• Airoha released an updated SDK with authentication checks and patched protocol handlers in mid‑June 2025.

• Vendors are baking the fixes into firmware, but German outlet Heise notes that half the affected products still ship May‑2025 (pre‑patch) firmware.

• OS vendors (Android / iOS) can’t fully block the issue because the exploit runs inside the peripheral, not the phone.

What you can do right now

Bigger picture: Bluetooth’s long tail of risk

Bluetooth’s 10‑meter convenience also grants attackers physical access without needing to touch a device. Previous headline issues (BLURtooth, KNOB, BlueBorne) show that legacy protocol assumptions keep breaking as researchers push fuzzers and AI‑guided reverse‑engineering against closed‑source firmwares.

Regulators have noticed:

• FCC SIM‑swap & port‑out rules (2023) already push carriers toward stronger identity checks; similar pressure on Bluetooth vendors is likely next.

• EU Cyber‑Resilience Act (CRA) will require consumer IoT makers to maintain timely security updates — headphones included — or face fines.

Conclusion

While the newly disclosed Airoha flaws require skill and proximity, they underline a recurrent theme: peripheral security is mobile security. Until every vendor delivers patched firmware, treat wireless audio gear like any other untrusted radio device—keep it updated, limit its exposure, and stay alert for unusual behavior.

Stay safe, stay patched, and keep an ear out for firmware notices from your headphone maker. The privacy of your next call could depend on it.

FAQs:

What are the latest Bluetooth vulnerabilities in 2025?

Recent flaws were found in Airoha Bluetooth chips used in popular headphones and earbuds, allowing attackers to eavesdrop and control connected smartphones.

Which CVEs are related to these Bluetooth flaws?

The vulnerabilities are CVE-2025-20700, CVE-2025-20701, and CVE-2025-20702.

What is the severity of these Bluetooth CVEs?

Two vulnerabilities are rated medium (6.7), and one is rated high (7.5) by CVSS.

How do Bluetooth attackers hijack headphones?

By extracting Bluetooth link keys from memory, attackers can impersonate the headset and hijack the smartphone connection.

Can hackers really spy using Bluetooth headphones?

Yes, they can trigger calls and listen through the phone's microphone by exploiting Bluetooth Hands-Free Profile (HFP).

What chip is affected in these attacks?

The vulnerabilities exist in Airoha SoCs, commonly used in audio devices.

Which brands are impacted by Airoha Bluetooth flaws?

Brands like Bose, Sony, JBL, Jabra, Marshall, and more are affected.

How close does an attacker need to be?

The attacker must be within standard Bluetooth range, roughly 10 meters.

Is this a remote Bluetooth attack?

No, it requires physical proximity but no prior pairing.

How did researchers prove the exploit?

ERNW researchers demonstrated playback sniffing and remote call initiation at a security conference.

What are Bluetooth link keys?

Link keys are cryptographic credentials that secure Bluetooth pairings between devices.

How can hackers extract Bluetooth link keys?

They use vulnerabilities in the firmware to dump memory and retrieve the keys.

Can a hacker make your phone call someone?

Yes, by mimicking a connected headset, attackers can issue call commands.

Can this Bluetooth flaw steal my contacts?

Yes, in some phone configurations, attackers can retrieve call history and contact data.

How do I know if my headset is vulnerable?

Check the model and firmware version, and consult the manufacturer's security updates.

Can firmware updates fix this?

Yes, Airoha has released an SDK fix, but device vendors need to push firmware updates.

Has anyone been hacked using this Bluetooth flaw?

No known public attacks yet, but proof-of-concept exists and is credible.

Are iPhones or Androids affected more?

Both platforms are vulnerable depending on how they handle HFP connections.

What should I do if I use Bluetooth headphones daily?

Ensure your device firmware is updated, and disable Bluetooth when not in use.

Is there a patch for Bose or Sony headphones?

Patches may be in development; check official support sites for updates.

Can this be used for a Bluetooth worm attack?

Yes, researchers say a wormable version of the attack is theoretically possible.

Why is this Bluetooth issue serious?

It turns a trusted audio device into a potential surveillance tool.

What is the Hands-Free Profile (HFP)?

HFP is a Bluetooth profile that allows headsets to control phone functions like calling.

Does this affect Bluetooth speakers too?

Yes, many speakers using Airoha chips are also vulnerable.

Can a hacker inject audio or commands?

They can potentially issue commands to the phone via a spoofed headset.

How can companies protect users from Bluetooth flaws?

By releasing timely firmware patches and enforcing secure memory handling.

How long has this vulnerability existed?

Likely for years, but it was disclosed in mid-2025 at the TROOPERS conference.

Can antivirus detect Bluetooth attacks?

No, most mobile security tools don't monitor Bluetooth hardware behavior.

Is turning off Bluetooth the best defense?

Yes, disabling Bluetooth when not in use reduces exposure.

Where can I find firmware updates?

Check the official support page of your headphone or speaker manufacturer.