Researchers disclose Airoha Bluetooth chip flaws that risk headphone takeover

TL;DR

Security researchers found three vulnerabilities in Airoha Bluetooth audio chips that can let attackers take over headphones and potentially attack paired phones. The team demonstrated full device compromise on current-generation headphones, published CVEs, and released tooling to check affected devices.

What happened

Researchers investigating Bluetooth headphone security identified three vulnerabilities in Airoha-branded Bluetooth audio system-on-chips, tracked as CVE-2025-20700, CVE-2025-20701 and CVE-2025-20702. During their work they uncovered a powerful custom protocol called RACE that can read from and write to a device's flash and RAM, enabling extensive control over affected headsets. Using current-generation headphones built on Airoha hardware, the team demonstrated how an attacker could achieve complete device compromise and how a compromised peripheral could be leveraged to attack paired devices such as smartphones by abusing the trust relationship and stealing Bluetooth link credentials. The researchers plan to publish tooling that lets users check whether their devices are affected and to help other analysts investigate Airoha-based products. They also discuss challenges encountered during disclosure and the firmware patching process.

Why it matters

• Compromise of widely used Bluetooth audio chips could affect many popular headphones and earbuds.
• A compromised peripheral can be used to target paired devices because of the Bluetooth trust relationship.
• Ability to read and write flash and RAM raises the prospect of persistent, hard-to-detect compromises.
• Disclosure and patching for embedded audio devices can be slow or uneven, leaving users exposed.

Key facts

• Three vulnerabilities identified in Airoha Bluetooth audio chips: CVE-2025-20700, CVE-2025-20701, CVE-2025-20702.
• Researchers found a custom protocol named RACE that can access device flash and RAM.
• Team demonstrated full device compromise on current-generation headphones during testing.
• A compromised headphone can be abused to attack paired devices by leveraging stolen Bluetooth link credentials.
• Airoha supplies SoCs, reference designs and an SDK used by multiple headphone vendors in the True Wireless Stereo (TWS) market.
• Examples of affected vendors and models cited include Sony (WH-1000XM5, WH-1000XM6, WF-1000XM5), Marshall (Major V, Minor IV), Beyerdynamic (AMIRON 300) and Jabra (Elite 8 Active).
• The researchers will release tooling to let users check devices and to assist further research.
• The presentation and materials are licensed under Creative Commons Attribution 4.0 (CC BY 4.0).

What to watch next

• The researchers' released tooling to check whether a specific device is affected and to support follow-up research (confirmed in the source).
• Not confirmed in the source: vendor firmware updates and security advisories addressing the reported CVEs.
• Monitor disclosure and patching timelines; the researchers report difficulties in the disclosure and patching process (confirmed in the source).

Quick glossary

• Airoha: A company that produces Bluetooth audio system-on-chips (SoCs) and associated reference designs and SDKs used in many headphones and earbuds.
• RACE protocol: A custom protocol discovered in the investigated devices that can be used to read and write a device's flash and RAM, enabling deep control of the peripheral.
• Bluetooth Link Key: A cryptographic credential that authenticates a Bluetooth connection between a peripheral and a host device.
• SoC: System on a Chip; an integrated circuit that consolidates multiple components such as CPU, memory and radio functions used in a device.
• Firmware: Low-level software stored on a device that controls its hardware functions and behavior.

Reader FAQ

Which devices are affected?
The researchers cited Airoha-based products from multiple vendors, including Sony WH-1000XM5/XM6 and WF-1000XM5, Marshall Major V and Minor IV, Beyerdynamic AMIRON 300, and Jabra Elite 8 Active.

How severe are the issues?
The vulnerabilities may allow complete device compromise and enable attacks on paired devices, according to the researchers.

Can a compromised headphone be used to attack my phone?
Yes. The researchers demonstrated that a compromised peripheral can be abused to attack paired devices by leveraging the trust relationship and stealing Bluetooth link credentials.

Have vendors released patches?
Not confirmed in the source.

How can I check if my device is affected?
The researchers say they will release tooling to let users check devices; use of that tooling is the method mentioned in the source.

Bluetooth Headphone Jacking: A Key to Your Phone Dennis Heinze and Frieder Steinmetz Video Player 15 30 00:00 | 59:12 1.00x eng 1080p h264-hd (mp4) fra 1080p h264-hd (mp4) deu…

Sources

• Bluetooth Headphone Jacking: A Key to Your Phone
• Airoha Chip Vulns Put Earbuds & Headphones at Risk
• Bluetooth Headphones Can Be Weaponized to Hack Phones
• Airoha Chip Vulnerabilities Expose Headphones to Takeover

Related posts

• Court filing outlines ChatGPT’s reported role in recent murder-suicide
• European Space Agency Hit Again; Cybercriminals Claim 200 GB of Data
• Israel’s Iron Beam: First Operational High-Power Anti-Drone Laser System