Cybersecurity firm ERNW disclosed vulnerabilities in Airoha Bluetooth chipsets affecting 29 audio devices from ten vendors, enabling potential eavesdropping and data theft.
Researchers confirmed that 29 devices from Beyerdynamic, Bose, Sony, Marshall, Jabra, JBL, Jlab, EarisMax, MoerLabs, and Teufel are impacted. These devices include speakers, earbuds, headphones, and wireless microphones. The identified security issues could allow an attacker to gain control of a vulnerable product. On some mobile phones, an attacker within connection range might also be able to extract call history and contacts.
During the TROOPERS security conference in Germany, ERNW researchers revealed three vulnerabilities within the Airoha Systems on a Chip (SoCs), which are extensively used in True Wireless Stereo (TWS) earbuds. These issues are not classified as critical. Their exploitation requires both close physical proximity, limited by Bluetooth range, and a high level of technical skill. The vulnerabilities were assigned the following identifiers: CVE-2025-20700, with a medium severity score of 6.7, indicating missing authentication for GATT services; CVE-2025-20701, also with a medium severity score of 6.7, denoting missing authentication for Bluetooth BR/EDR; and CVE-2025-20702, which has a high severity score of 7.5, pertaining to critical capabilities of a custom protocol.
Hackers used ChatGPT to fake resumes
ERNW researchers developed a proof-of-concept exploit code demonstrating their ability to read the currently playing media from targeted headphones. While this specific attack may not pose a significant risk, other scenarios leveraging these three vulnerabilities could allow a threat actor to hijack the connection between a mobile phone and a Bluetooth audio device. This would enable the use of the Bluetooth Hands-Free Profile (HFP) to issue commands to the phone. ERNW stated, “The range of available commands depends on the mobile operating system, but all major platforms support at least initiating and receiving calls.”
The researchers successfully triggered a call to an arbitrary number by extracting Bluetooth link keys from a vulnerable device’s memory. Depending on the phone’s configuration, an attacker could also retrieve call history and contacts. Additionally, they were able to initiate a call and “successfully eavesdrop on conversations or sounds within earshot of the phone.” There is also a potential for rewriting the vulnerable device’s firmware to enable remote code execution, which could facilitate the deployment of a wormable exploit capable of propagating across multiple devices.
Despite the serious attack scenarios presented by ERNW researchers, practical implementation at scale faces constraints. The researchers remarked, “Yes — the idea that someone could hijack your headphones, impersonate them towards your phone, and potentially make calls or spy on you, sounds pretty alarming.” They added, “Yes — technically, it is serious,” while also noting that “real attacks are complex to perform.” The requirement for both technical sophistication and physical proximity limits these attacks to high-value targets, such as individuals in diplomacy, journalism, activism, or sensitive industries.
Airoha has released an updated Software Development Kit (SDK) incorporating necessary mitigations. Device manufacturers have begun developing and distributing patches. However, the German publication Heise reported that the most recent firmware updates for more than half of the affected devices date from May 27 or earlier, preceding Airoha’s delivery of the updated SDK to its customers.
