A major Bluetooth security issue has come to light, and it could affect millions of users of popular wireless headphones and earbuds — including models from Sony, Bose, JBL, Marshall, and others.
Cybersecurity firm ERNW recently uncovered multiple vulnerabilities in Bluetooth chips made by Airoha, a major supplier used in True Wireless Stereo (TWS) devices. These flaws allow hackers to take full control of your headphones if they’re within Bluetooth range — no pairing required.
At the heart of the issue is Airoha’s Bluetooth System-on-Chip (SoC), used in many consumer audio products. These chips expose an internal control protocol over Bluetooth — a protocol that lacks basic authentication, meaning attackers nearby can send commands to your headphones as if they own them. In real-world tests, ERNW demonstrated they could extract audio, impersonate a headset to a paired smartphone, and even trigger phone calls.
Using this vulnerability, an attacker could:
- Read or modify device memory
- Hijack audio streams
- Eavesdrop through built-in microphones
- Impersonate your headphones to your phone, potentially making or receiving calls
The flaws are tracked with the following CVE identifiers:
- CVE-2025-20700 – BLE GATT services lack authentication
- CVE-2025-20701 – Bluetooth Classic (BR/EDR) services lack authentication
- CVE-2025-20702 – Dangerous capabilities exposed via a proprietary control protocol
Affected Devices
Airoha chips are found in many mid-range and high-end headphones, making the impact widespread. Some of the confirmed affected products include:
- Sony’s WH-1000XM4/XM5/XM6, WF-1000XM series, LinkBuds S, and ULT Wear
- Bose QuietComfort Earbuds
- Jabra, JBL, Marshall, Teufel, JLab, and others
Importantly, not every device with Airoha chips is necessarily vulnerable to all three issues. Some vendors may have mitigated part of the flaw (knowingly or not).
Risk
These are serious vulnerabilities — especially for those in high-risk professions or sensitive industries.
But for the average user, the risk is relatively low, for a few reasons:
- Attacks require physical proximity (within 10 meters)
- They are not possible over the internet
- The attack process is technically complex and visible (e.g., your headphones disconnect)
In short, this is not a widespread exploit being used in the wild — yet.
If you are in a high risk group such as a journalist, diplomat, or someone in a sensitive position, or if you use your headphones for business calls in public places, you may want to take precautions (like unpairing the device until a fix is released or you can confirm your model isn’t directly affected).
There is a fix, but deployment can take some time. Airoha has released patched versions of its Bluetooth SDK as of early June 2025. But it’s now up to individual headphone manufacturers to integrate those fixes into their own firmware updates and push them to users. That process can take weeks or months — and for some cheaper or discontinued models, it may not happen at all.
Keep an eye out for firmware updates from your headphone brand and apply them as soon as they’re available. If you’re in a high-risk group, consider temporarily avoiding Bluetooth audio devices, or removing their pairing from your phone.
These findings underscore a growing problem in modern supply chains — vulnerabilities in shared components can cascade across dozens of brands. The lack of transparency in hardware sourcing makes it even harder to assess risk. Check out ERNW’s full analysis report on their website here.
Leave a Reply