Background information
Bluetooth headphones: the eternal struggle with incomprehensible phone calls
by Dayan Pfammatter
Headphones as a bug: security vulnerability discovered in Bluetooth chip
27.6.2025
Translation: machine translated
Headphones can be hacked and controlled via a security vulnerability. This has been confirmed by German security researchers. Theoretically, this could be used to trigger calls or use the microphone as a bug.
Researchers from the German security company ERNW (European Research & Network Security) have discovered a serious vulnerability in Bluetooth headphones and reported on it. Bluetooth headphones that use chips from the Taiwanese manufacturer Airoha are affected - and there are a lot of them. The manufacturers affected include well-known brands such as Sony, JBL, Bose and Marshall. But the problem affects millions of headphones, at least in theory. These could be exposed to attacks.
What exactly is the problem?
The problem lies in the Bluetooth chips from Airoha, a supplier that is particularly well known for true wireless headphones. These chips enable the transmission of sound signals from smartphones to in-ear headphones, for example. Airoha has integrated a proprietary protocol into its chips that theoretically allows attackers to access the flash memory and RAM of the devices wirelessly - without the need for authorisation or the usual pairing.
What could happen?
Security researchers from ERNW were able to manipulate the protocol in such a way that they could take control of Bluetooth headphones, i.e. hijack the connection between a pair of headphones and the user's smartphone without them realising anything.
For example, the attackers could read the headphones' RAM to find out which media is currently being played - a rather harmless scenario. More serious is the realisation that the researchers were also able to read the user's phone number and call logs. In some cases, it was even possible to search through the smartphone's address book.
Especially worrying: the researchers were able to manipulate the headphones so that they functioned like a bug. By pretending to be the connected smartphone, the attackers were able to activate the headphones' microphones and forward recorded conversations to themselves. However, it was also possible to trigger calls in the tests.
The researchers at ERNW categorised the vulnerabilities as critical (CVE-2025-20702, CVss 9.6/10), while Airoha, the manufacturer of the affected chip, played down the severity. According to Airoha, the attacks are too complex and the impact on the connected devices is low.
Which headphones are affected
The researchers tested a wide range of headphone models, but the list of affected devices is likely to be much longer. Some popular models from major manufacturers were affected in the test, such as Sony, JBL and Bose. Apple's Airpods were not affected, as they have different chips installed.
The following models have already been confirmed:
- Beyerdynamic Amiron 300
- Bose QuietComfort Earbuds
- EarisMax Bluetooth Auracast transmitter
- Jabra Elite 8 Active
- JBL Endurance Race 2
- JBL Live Buds 3
- Jlab Epic Air Sport ANC
- Marshall ACTON III
- Marshall MAJOR V
- Marshall MINOR IV
- Marshall MOTIF II
- Marshall STANMORE III
- Marshall WOBURN III
- MoerLabs EchoBeatz
- Sony CH-720N
- Sony Link Buds S
- Sony ULT Wear
- Sony WF-1000XM3
- Sony WF-1000XM4
- Sony WF-1000XM5
- Sony WF-C500
- Sony WF-C510-GFP
- Sony WH-1000XM4
- Sony WH-1000XM5
- Sony WH-1000XM6
- Sony WH-CH520
- Sony WH-XB910N
- Sony WI-C100
- Teufel Airy TWS 2
Chips have been patched, headphone firmware not (yet)
Airoha made an updated software development kit available at the beginning of June to fix the vulnerability. The ball is now in the headphone manufacturers' court, who must provide their products with the necessary security updates. Until then, users will have to be patient. After all, an attack on a private individual's headphones seems very unlikely.
Header image: Shutterstock
I've been tinkering with digital networks ever since I found out how to activate both telephone channels on the ISDN card for greater bandwidth. As for the analogue variety, I've been doing that since I learned to talk. Though Winterthur is my adoptive home city, my heart still bleeds red and blue.
Audio
Follow topics and stay updated on your areas of interest
6 comments
later