A major security flaw in widely used Bluetooth headphones could allow hackers to remotely access devices, eavesdrop on conversations, and even steal personal data, according to researchers from German cybersecurity firm ERNW. The vulnerability, disclosed at the TROOPERS security conference this week, affects millions of headphones from brands like Sony, JBL, Marshall, and Bose.

The issue stems from Bluetooth chips made by Taiwanese manufacturer Airoha, which are used in many “True Wireless Stereo” (TWS) earbuds. Airoha’s proprietary protocol, designed for communication with manufacturer apps, inadvertently opens a backdoor for attackers. By exploiting weaknesses in Bluetooth Low Energy (BLE) and classic Bluetooth connections, hackers can take control of headphones without requiring user interaction.

Once compromised, attackers can access a device’s memory, intercept calls, and even redirect audio to spy on users. In some cases, they could extract phone numbers, call logs, and contact lists from connected Android phones. However, ERNW researchers note that such attacks are complex and require close proximity to the target, making them unlikely for everyday users. High-profile individuals, such as journalists or corporate executives, may face higher risks.

Airoha disputes the severity of the flaws, which include one critical vulnerability (CVE-2025-20702) and two high-risk issues (CVE-2025-20700, CVE-2025-20701). Despite being notified in March 2025, the company took two months to respond before releasing a patched software development kit (SDK) on June 4.

Major headphone manufacturers have yet to confirm firmware updates for affected devices. With over 100 models potentially impacted, including some from top brands, millions of users may remain vulnerable. Apple’s AirPods are unaffected, but counterfeit earbuds using Airoha chips could still be at risk.

For now, researchers advise keeping headphone firmware updated via manufacturer apps. Until patches are widely available, the vulnerabilities remain a zero-day threat.

Via: Heise

Leave a comment

Your email address will not be published. Required fields are marked *