Bluetooth Chip Flaw Turns Millions Of Top Headphones Into Spy Devices
According to a team of researchers at Enno Rey Netzwerke GmbH, the Airoha system-on-chips all share three major vulnerabilities that allow an attacker in range to take full control of the headset, seeing as they'll get full access to the SoC's RAM and storage. The means to achieve this are sadly quite simple. Apparently Airoha left an unauthenticated system control protocol accessible via BLE GATT (Bluetooth Low Energy Generic Attribute Profile protocol), through classic Bluetooth's RFCOMM interface. The vulnerabilities are CVE-2025-20700, -20701, and -20702.
Once an attacker has gotten a foothold on the device, they're free to do plenty of nasty things, including but not limited to spying on what the user is listening to, eavesdropping on conversations near the device (as the microphone can be turned on), hijacking Bluetooth Hands-Free to control a paired phone or laptop as the OS allows, and fully impersonating the headphones when they're not physically present anymore. Listening to an ongoing call is possible, but since only one Bluetooth connection is allowed at one time, the attacker would quickly expose themselves.

A potential hacker would need to be in physical Bluetooth range of the victim (10 meters give or take), but even still the attack is pretty darn low-profile and comes from an unexpected avenue. Juicy targets include but are not limited to politicians, diplomats, CEOs, journalists, and other similar VIPs.
The researchers make a specific point of not "[disclosing] too many details" or publishing a proof-of-concept for the time being, preferring instead to inform vendors about these vulnerabilities and hoping they'll be patched. The reasoning for that is fairly sound, since the Airoha SoCs are reportedly so ubiquitous in the TWS (True Wireless Stereo) Bluetooth headset space, there's no telling yet how many models are affected, and the list is bound to be quite long. Furthermore, the security experts say that many vendors are even unaware their wares are using Airoha SoCs to begin with, given that development of the Bluetooth comms portion is sometimes outsourced entirely.
There are currently few options for mitigating this vulnerability. Although Airoha has already fixed the vulnerability in the latest version of its software development kit, it'll be up to the individual vendors to apply a potential patch and publish a new firmware update. Once that hill is cleared, then there's the difficult task of informing the users that they need to apply a security update for their Bluetooth headset, assuming they know that's even a possibility.