Critical Bluetooth Vulnerabilities Expose Millions of Headphones to Remote Hijacking
Recent cybersecurity research has unveiled significant vulnerabilities in Bluetooth headphones and earbuds, potentially allowing attackers to remotely control these devices and access connected smartphones without user consent. These flaws, identified as CVE-2025-20700, CVE-2025-20701, and CVE-2025-20702, affect devices utilizing Airoha Bluetooth System-on-Chips (SoCs), which are integral to products from leading manufacturers such as Sony, Bose, JBL, Marshall, and Jabra.
Understanding the Vulnerabilities
The vulnerabilities were initially disclosed in June 2025, providing manufacturers with a window to develop and deploy patches. However, as of December 2025, many devices remain unpatched, leaving users exposed to potential attacks. To raise awareness and facilitate mitigation, researchers have released comprehensive technical details, including a white paper and the RACE Toolkit, enabling users and security professionals to assess device susceptibility.
The Role of Airoha SoCs
Airoha is a prominent supplier of Bluetooth SoCs, especially for True Wireless Stereo (TWS) earbuds. Their reference designs and Software Development Kits (SDKs) are widely adopted by manufacturers, making the impact of these vulnerabilities extensive.
The RACE Protocol: A Double-Edged Sword
Researchers from ERNW discovered that devices powered by Airoha SoCs expose a custom protocol known as RACE (Remote Access Control Engine) across multiple interfaces, including Bluetooth Low Energy (BLE), Bluetooth Classic, and USB Human Interface Device (HID) connections. Originally intended for factory debugging and firmware updates, the RACE protocol offers powerful capabilities such as reading and writing arbitrary locations in both flash memory and RAM.
Detailed Examination of the Vulnerabilities
1. CVE-2025-20700: Missing Authentication for GATT Services over BLE
This vulnerability allows attackers within Bluetooth range to connect to vulnerable headphones without pairing, gaining silent access to the RACE protocol. Such connections typically occur without user notification, rendering the attack covert and undetectable.
2. CVE-2025-20701: Missing Authentication for Bluetooth Classic Connections
This flaw permits unauthenticated access over Bluetooth Classic connections. While these connections may sometimes interrupt audio streams, they enable attackers to establish two-way audio connections. This capability can be exploited to eavesdrop through the device’s microphone using the Hands-Free Profile (HfP).
3. CVE-2025-20702: Critical Capabilities Exposed via the RACE Protocol
This vulnerability involves specific commands within the RACE protocol that allow attackers to retrieve device information, read flash memory pages, perform arbitrary read/write operations on RAM, and obtain the device’s Bluetooth Classic address. These capabilities enable attackers to alter devices permanently and extract sensitive configuration data.
From Headphones to Smartphones: A Cascade of Compromise
The most severe impact arises when attackers chain these vulnerabilities to compromise connected smartphones. The attack sequence is as follows:
1. Initial Connection: An attacker connects to nearby vulnerable headphones via BLE or Bluetooth Classic.
2. Memory Dump: Utilizing the RACE protocol, the attacker dumps the device’s flash memory, which contains a connection table with paired device information, including the cryptographic Link Key used for mutual authentication between the headphones and the smartphone.
3. Device Impersonation: Armed with the Link Key, the attacker impersonates the trusted headphones, establishing a privileged connection with the victim’s smartphone.
4. Exploitation: From this position, the attacker can extract the victim’s phone number and contacts, trigger voice assistants like Siri or Google Assistant to send messages or make calls, hijack incoming calls, and establish eavesdropping connections using the phone’s internal microphone.
Demonstrated Proof-of-Concept Attacks
Researchers have demonstrated proof-of-concept attacks that successfully exploit these vulnerabilities, underscoring the critical need for immediate action. The potential for unauthorized access to personal data and private communications poses a significant threat to user privacy and security.
Mitigation and User Recommendations
To mitigate these risks, users are advised to:
– Update Firmware: Regularly check for and apply firmware updates from device manufacturers.
– Monitor Connections: Be vigilant about unexpected Bluetooth connections and unpair any unfamiliar devices.
– Disable Bluetooth When Not in Use: Turning off Bluetooth when it is not needed can reduce exposure to potential attacks.
– Stay Informed: Keep abreast of security advisories related to Bluetooth devices and implement recommended practices.
Conclusion
The discovery of these vulnerabilities highlights the importance of robust security measures in wireless devices. As Bluetooth technology becomes increasingly integrated into daily life, ensuring the security of these connections is paramount. Users must remain proactive in updating their devices and adopting best practices to safeguard against potential threats.
