30-06-2025
Spy Attack Alert For Headphone Users — Is Yours On The At Risk List?
Bluetooth vulnerability puts headphone users at risk.
Hackers are, by their very nature, ingenious and inventive. It comes as part of the job description, and so this latest revelation should come as no surprise. After all, we've already seen hackers using printers, lightbulbs, vacuum cleaners and smartwatches in attack scenarios. Not to mention automatic password hacking machines and, of course, critical vulnerability exposure. And it's the latter, a vulnerability, that brings us nicely to the threat at hand. Researchers have found that more than two dozen earbuds, headphones, speakers and wireless mics from big-name brands are vulnerable to an attack that could see a skilled hacker successfully spying on the user, and even exfiltrating data from some smartphones. Here's what you need to know.
Listen Carefully — This Spy Threat Comes Via Your Audio Tech
There's something particularly insidious about a security threat that can exploit the technology we use to escape from the hubbub, to unwind, listen to music and podcasts, and spy on us. What's more, according to Dennis Heinze, a security analyst and researcher at ERNW, 'any vulnerable device can be compromised if the attacker is in Bluetooth range. That is the only precondition.' Now that, dear reader, is somewhat concerning.
A recently published security alert by security researchers at ERNW has identified several Bluetooth security vulnerabilities affecting audio devices, including those from well-known earphone and headphone brands that utilize Airoha Systems on a Chip.
Airoha is 'a large supplier in the Bluetooth audio space, especially in the area of True Wireless Stereo (TWS) earbuds,' Heinze said. While stating that ERNW does not want to disclose proof of concept code or too many technical details at this point, Heinze added that he wanted 'inform about these vulnerabilities, especially their impact and the difficulties around patching them.'
What ERNW and Heinze have said, however, is that, in most cases, 'these vulnerabilities allow attackers to fully take over the headphones via Bluetooth.' There is absolutely no authentication or pairing involved, as long as the hacker is within Bluetooth range, your headphones could be vulnerable. The researcher said that attackers could read and write to device RAM and flash memory, and could 'hijack established trust relationships with other devices, such as the phone paired to the headphones.'
CVE-2025-20700 (missing authentication for the Generic Attribute Profile service) and CVE-2025-20701 (missing authentication for Bluetooth Basic Rate/Enhanced Data Rate) are both high-risk vulnerabilities with a severity rating of 8.8/10. However, CVE-2025-20702, which Heinze described as presenting 'critical capabilities of a custom protocol,' has been given a critical rating, under the Common Vulnerability Scoring System, of 9.6/10.
The Threat From These Audio Spy Attacks Explained
Like many such reports, although the headline threat is indeed rather worrying, the real-world impact is likely to be significantly less, in my never humble opinion. 'One attack we implemented was reading out the currently playing media from the headphones via the RAM reading commands,' Heinze said. More worryingly, Heinze reported that exploiting the broken BR/EDR pairing was able to allow an attacker to listen to what the device microphone was recording. Again, in the real-world this wouldn't be very secret squirrel as the exploit would cause whatever the victim was listening to be dropped. 'For it to go unnoticed,' Heinze confirmed, 'headphones have to be turned on, but not in active use.'
And then we come to the smartphone issue. This exploits the trust between a Bluetooth device and the phone it has paired with. 'If an attacker can impersonate the headphones they could hijack this trust relationship in numerous ways,' Heinze said, including issuing commands to the smartphone in question. ERNW was able to demonstrate an exploit, using a full attack chain, that allowed for the calling of an arbitrary number from the smartphone. 'Under the right conditions,' Heinze warned, 'the established call allowed us to successfully eavesdrop on conversations or sounds within earshot of the phone.' It also allows for the extraction of call history and stored contacts data, Heinze said.
Most people do not need to panic, with journalists, diplomats, political dissidents, people in sensitive industries and VIPs under surveillance being named as the most likely targets of any attacks. The kind of people who should know not to use Bluetooth headphones. Everyone, Heinze said, should patch their firmware as soon as one becomes available. In the meantime, at-risk users might want to wait for a patch until they use their headphones again. 'Please ensure that you also remove the pairing between the headphones and your mobile phone,' Heinze added.
'Ensuring complete trust in software and the technologies it supports is incredibly challenging,' Boris Cipot, a senior security engineer at Black Duck, said. With every new advancement comes the risk of unknown vulnerabilities, of course, flaws that may only be uncovered later by dedicated security researchers, Cipot warned.
'What matters most now is delivering timely updates and patches so users can operate their devices without worrying about being compromised,' Cipot said; 'Vendors using Airoha TWS technology must ensure customers receive these critical updates seamlessly via an automated upgrade process. Relying on users to manually update their devices simply isn't effective.'
The Spy Attack Headphones At Risk List
Heinze has said that Airoha has fixed the vulnerabilities in the software development kit and supplied a new version to device manufacturers in the first week of June. The manufacturers now have to build and distribute firmware updates, so expect to see these soon if they have not dropped already.
I have approached Airoha for a statement
'We can confirm that the issues are prevalent in many entry-level and flagship models,' Heinze said, adding that ERNW confirmed Beyerdynamic, Marshall and Sony as impacted vendors. 'We know of many more devices using the chips that we assume to be vulnerable, too,' Heinze concluded.
The following devices were listed as being vulnerable by the ERNW researchers:
A Jabra spokesperson provided the following statement:
'At Jabra we are aware of the recently discovered Bluetooth vulnerability for Airoha chipset devices, which include the Jabra Elte 8 and Elite 10 earbuds. We have taken steps immediately to work on a firmware update to include the Airoha security patch and this will be rolled out very shortly. Jabra continues to support the Elite 8 and 10 earbuds despite having stopped the production of the Elite product line last year. We want to emphasize that no other Jabra audio devices or headsets within our portfolio are affected by this vulnerability.'
I have contacted all the vendors listed above for a statement regarding the spy exploit research and will update this article when I have further information.
