New Bluetooth Headphone Vulnerabilities Allow Hackers to Hijack Connected Smartphones

[Brownie2019]

Content source

https://gbhackers.com/new-bluetooth-headphone-vulnerabilities/

Security researchers have disclosed critical vulnerabilities in Airoha-based Bluetooth headphones that enable attackers to compromise connected smartphones through chained exploits.

The three vulnerabilities CVE-2025-20700, CVE-2025-20701, and CVE-2025-20702 affect dozens of popular headphone models from Sony, Marshall, Jabra, Bose, and other manufacturers.

The vulnerabilities center on missing authentication mechanisms and exposed debugging functionality in Airoha’s custom RACE protocol, which is used for device configuration and firmware updates.

Attackers within Bluetooth range can exploit these flaws without requiring prior pairing or user interaction.

More on:

New Bluetooth Headphone Vulnerabilities Allow Hackers to Hijack Connected Smartphones

Security researchers have disclosed critical vulnerabilities in Airoha-based Bluetooth headphones that enable attackers to compromise connected smartphones.

gbhackers.com

 

[Divergent]

Technical Analysis

The threat involves three chained vulnerabilities targeting Airoha’s custom RACE protocol, typically used for device configuration and firmware updates.

Vulnerability Chain:

CVE-2025-20700: Allows unauthenticated Bluetooth Low Energy (BLE) connections.

CVE-2025-20701: Permits unauthorized Bluetooth Classic connections.

CVE-2025-20702: Provides arbitrary read/write access to device memory via the RACE protocol once a connection is established.

The "Link Key" Extraction: By exploiting these flaws, an attacker can extract the Bluetooth Link Key—the shared secret between the headphones and the phone. This allows the attacker to impersonate the trusted headphones to the smartphone.

Impact on Connected Devices: Once impersonation is successful, attackers can use the Bluetooth Hands-Free Profile to access call history and contact lists, accept incoming calls (call hijacking), or command voice assistants to send messages and extract location data.

Affected Hardware: Verified vulnerable devices include popular models such as the Sony WF-1000XM5, Marshall ACTON III, JBL Live Buds 3, and Beyerdynamic Amiron 300. Potentially many more unverified models remain affected.

Recommendation / Remediation

Immediate Firmware Updates: Check for and apply the latest firmware updates via your headphone manufacturer's official app. While Airoha released SDK patches in June 2025, vendor adoption is inconsistent.

Device Hygiene: Unpair and "Forget" any headphones or Bluetooth devices that are no longer in active use to reduce the potential attack surface.

Voice Assistant Security: Configure your smartphone to require authentication (Passcode/Biometrics) before allowing voice assistant commands while the device is locked.

High-Risk Alternatives: For high-value targets (e.g., journalists, diplomats), researchers recommend utilizing wired headphones to eliminate the Bluetooth attack vector entirely.