Researchers have released full technical details and a toolkit for testing a trio of previously disclosed vulnerabilities in Airoha-based Bluetooth headphones.
The flaws, which affect numerous models from brands like Sony, JBL, Bose, and Marshall, allow attackers in Bluetooth range to eavesdrop, manipulate firmware, and even impersonate headphones to hijack smartphones.
The vulnerabilities, CVE-2025-20700, CVE-2025-20701, and CVE-2025-20702, were discovered by Dennis Heinze and Frieder Steinmetz of German cybersecurity firm ERNW. While the existence of the flaws was initially disclosed in June 2025, the researchers delayed full technical publication to give vendors time to patch affected products.
The issues stem from a custom protocol known as RACE, short for “Realtek/Airoha Command Extensions,” found in firmware for Airoha Bluetooth System-on-Chips (SoCs). These chips power a large number of consumer headphones and earbuds across both premium and budget segments, particularly in the True Wireless Stereo (TWS) market.
RACE was designed for factory diagnostics and vendor customization. However, ERNW found that in many devices, the protocol is exposed over both Bluetooth Low Energy (BLE) and Bluetooth Classic (BR/EDR) without requiring any authentication or pairing.
This configuration leads to the following critical issues:
- CVE-2025-20700: Missing authentication in GATT (BLE), allowing unauthenticated access to sensitive services.
- CVE-2025-20701: No pairing enforcement over Bluetooth Classic, exposing services like Hands-Free Profile (HFP) for microphone access.
- CVE-2025-20702: The RACE protocol provides unauthenticated read/write access to RAM and flash memory, enabling firmware tampering, data exfiltration, and code execution.
Because these flaws can be exploited without any user interaction, any device within Bluetooth range (~10 meters) is a potential target.
During their research, ERNW demonstrated how an attacker can silently connect to a vulnerable headphone via BLE, dump its firmware to extract stored Bluetooth link keys, and then use those keys to impersonate the headphone to a paired smartphone. Once impersonation is successful, attackers can:
- Initiate phone calls or accept incoming calls silently.
- Access the victim's phone number and contacts using HfP commands.
- Trigger voice assistants like Siri or Google Assistant to send texts or perform other actions.
- Eavesdrop using the phone's microphone by silently placing a call to an attacker-controlled number.
In a demonstration shown at 39C3, the researchers used this chain to hijack a WhatsApp session and gain access to Amazon accounts.
Impact and patch status
Airoha, a subsidiary of MediaTek, is a major supplier of Bluetooth chips and provides reference SDKs and firmware to headphone vendors. Many manufacturers adopt Airoha's default configurations without significant changes, including the insecure exposure of the RACE protocol.
Products from Sony, JBL, Bose, Marshall, JLab, Beyerdynamic, Jabra, Teufel, Xiaomi, and others are confirmed to use Airoha chips. Some vendors like Jabra and Marshall explicitly acknowledged the CVEs in firmware updates, but others have not released security advisories or confirmed their status.
Due to the fragmented firmware update ecosystem, where patches are typically delivered via mobile apps that users rarely open, millions of devices are likely still vulnerable.
Given the broad reach of these vulnerabilities, ERNW advises users, especially those at heightened risk, to update headphone firmware via the official apps, disable Bluetooth when not in use, delete old or unused Bluetooth pairings from phones, and consider switching to wired headphones for high-security scenarios.
ERNW disclosed the vulnerabilities to Airoha on March 25, 2025, but only received a response on May 27, following repeated contact attempts. Airoha distributed a fixed SDK to vendors on June 4, just before ERNW's partial public disclosure at TROOPERS 2025. Sony and Marshall failed to respond to direct communications, with Sony only acknowledging the issue after learning it would be presented publicly.
The full disclosure, including the white paper, technical details, and RACE Toolkit, was published on December 27, 2025, along with a presentation at 39C3. The hope is that open publication will push more vendors to act and empower users and researchers to test their own devices.
Leave a Reply