A serious set of vulnerabilities has been identified in Bluetooth chipsets used in more than two dozen audio devices from ten major vendors, including Beyerdynamic, Bose, Sony, Marshall, Jabra, JBL, Jlab, EarisMax, MoerLabs, and Teufel. These chipsets, manufactured primarily by Airoha, are widely used in True Wireless Stereo (TWS) earbuds, headphones, speakers, and wireless microphones.
The vulnerabilities stem from a proprietary protocol embedded in Airoha’s Bluetooth System-on-Chip (SoC) reference designs. This protocol, intended for vendor diagnostics and app features, is exposed via both Bluetooth Low Energy (BLE) and Bluetooth Classic (BR/EDR) connections. Crucially, it lacks authentication, allowing any nearby device to access memory and issue commands without pairing. Attackers within Bluetooth range (~10 meters) can exploit these flaws to read and write to the device’s RAM and flash memory, manipulate device behavior, and in some cases, extract sensitive information such as call history and contacts from connected smartphones.
The vulnerabilities enable attackers to take over vulnerable devices, intercept calls, redirect audio, and potentially turn headphones into listening devices—functioning as bugs. In some scenarios, attackers can initiate calls or send voice commands without user interaction, and extract phone numbers and call logs from connected Android phones. By stealing cryptographic pairing keys, attackers can impersonate the victim’s headphones to their phone, further compromising security and privacy.
Affected Devices and Vendors
Researchers have confirmed at least 29 devices from the following brands are affected:
- Beyerdynamic
- Bose
- Sony
- Marshall
- Jabra
- JBL
- Jlab
- EarisMax
- MoerLabs
- Teufel
Technical Details and CVEs
The vulnerabilities are tracked as:
• CVE-2025-20700: Missing authentication in BLE GATT services
• CVE-2025-20701: Unauthenticated access over Bluetooth Classic
• CVE-2025-20702: Critical protocol features allow arbitrary memory read/write
Mitigation and Current Status
While the attack is technically complex and requires close proximity, the risk is significant for high-profile individuals such as journalists, executives, and diplomats. Everyday users are less likely to be targeted, but the threat remains real for sensitive environments. Airoha has released an SDK update with mitigations, and manufacturers are beginning to develop and ship patches. However, not all affected devices have received updates yet.
| Aspect | Details |
|---|---|
| Affected Chipsets | Airoha Bluetooth SoCs |
| Vulnerabilities | CVE-2025-20700, CVE-2025-20701, CVE-2025-20702 |
| Attack Vector | BLE and Bluetooth Classic, no pairing required |
| Impact | Eavesdropping, data theft, device hijacking, microphone activation |
| Affected Vendors | 10+ (Beyerdynamic, Bose, Sony, Marshall, Jabra, JBL, Jlab, EarisMax, MoerLabs, Teufel) |
| Affected Devices | 29+ confirmed, likely many more |
| Mitigation | SDK/firmware updates in progress |
