editorially independent. We may make money when you click on links
to our partners.
Learn More
Researchers warn that critical flaws in popular Bluetooth headphones could enable eavesdropping, data theft, and smartphone compromise.
The vulnerabilities impact devices from major brands, many of which have yet to be patched.
The flaws “… might allow eavesdropping via the device’s microphone,” said researchers.
Unpatched Bluetooth Devices at Risk
The vulnerabilities impact Bluetooth headphones and earbuds powered by Airoha system-on-chips (SoCs), which are widely used across the consumer electronics market.
The flaws are tracked as CVE-2025-20700, CVE-2025-20701, and CVE-2025-20702, with CVSS scores ranging from 8.8 to 9.6, indicating high to critical severity.
Despite initial disclosure to vendors in June 2025, some manufacturers have yet to fully patch affected products at the time of publication.
How Bluetooth Headphones Can Be Hijacked
At the core of the issue is Airoha’s proprietary RACE (Remote Access Control Engine) protocol.
RACE was designed for factory debugging and firmware updates and exposes powerful functions, including the ability to read and write arbitrary memory locations.
The researchers found that many Airoha-based devices expose this protocol over Bluetooth Low Energy (BLE), Bluetooth Classic, and USB HID interfaces without proper authentication.
CVE-2025-20700 involves missing authentication for BLE GATT services, allowing attackers within Bluetooth range to connect to vulnerable headphones without pairing or user interaction.
The connection typically generates no alerts, making the attack difficult to detect.
CVE-2025-20701 affects Bluetooth Classic connections, enabling unauthenticated access that can support two-way audio. In some scenarios, attackers can exploit the Hands-Free Profile (HFP) to eavesdrop using the headphone’s microphone.
The most severe flaw, CVE-2025-20702, exposes the full capabilities of the RACE protocol, allowing attackers to read flash memory, manipulate RAM, and extract sensitive device data.
The real danger emerges when these flaws are chained together.
Researchers demonstrated that attackers could dump a headphone’s flash memory to retrieve the cryptographic Link Key used to authenticate the device with a paired smartphone.
With that key, attackers can impersonate the headphones and connect directly to the victim’s phone as a trusted device.
From there, attackers can trigger voice assistants like Siri or Google Assistant, access contacts, place calls, hijack incoming audio, and even establish covert eavesdropping sessions through the phone’s microphone.
The researchers demonstrated proof-of-concept (PoC) attacks affecting WhatsApp and Amazon accounts, confirming that the risk is not just theoretical.
How to Reduce Bluetooth Security Risk
With patch adoption varying widely across vendors, users and organizations should take proactive steps to reduce exposure to Bluetooth-based attacks.
These measures focus on limiting trust relationships, shrinking the attack surface, and reducing the impact of compromised peripherals.
- Update Bluetooth headphones and earbuds using official manufacturer apps or support tools as soon as firmware updates become available.
- Keep smartphones fully updated with the latest operating system and security patches to reduce Bluetooth exploit impact.
- Remove unused, unknown, or unnecessary paired devices from smartphones to limit exposure from stored Link Keys.
- Disable Bluetooth when not actively in use and avoid pairing devices in public or untrusted environments.
- Periodically reset and re-pair Bluetooth headphones after firmware updates to invalidate previously stored credentials.
- For high-risk individuals or sensitive use cases, use wired headphones or restrict Bluetooth peripherals through enterprise controls where possible.
These steps help reduce the Bluetooth attack surface area and limit blast radius.
Firmware Design Choices Scale Risk
These vulnerabilities highlight a broader issue in the consumer electronics ecosystem: low-level firmware features intended for manufacturing, testing, or maintenance can persist into production devices without adequate security controls or ongoing review.
The widespread impact of the Airoha flaws also underscores the importance of supply chain security, as vulnerabilities introduced at the chipset or SDK level can propagate across numerous brands and product lines.
Without stronger oversight, transparency, and security validation throughout the hardware and software supply chain, a single design weakness can scale into a global consumer risk.
