Bluetooth Headphone Jacking: A Key to Your Phone

Day 1 23:00 One en Security
Dec. 27, 2025 23:00-00:00
Bluetooth headphones and earbuds are everywhere, and we were wondering what attackers could abuse them for. Sure, they can probably do things like finding out what the person is currently listening to. But what else? During our research we discovered three vulnerabilities (CVE-2025-20700, CVE-2025-20701, CVE-2025-20702) in popular Bluetooth audio chips developed by Airoha. These chips are used by many popular device manufacturers in numerous Bluetooth headphones and earbuds. The identified vulnerabilities may allow a complete device compromise. We demonstrate the immediate impact using a pair of current-generation headphones. We also demonstrate how a compromised Bluetooth peripheral can be abused to attack paired devices, like smartphones, due to their trust relationship with the peripheral. This presentation will give an overview over the vulnerabilities and a demonstration and discussion of their impact. We also generalize these findings and discuss the impact of compromised Bluetooth peripherals in general. At the end, we briefly discuss the difficulties in the disclosure and patching process. Along with the talk, we will release tooling for users to check whether their devices are affected and for other researchers to continue looking into Airoha-based devices. Examples of affected vendors and devices are Sony (e.g., WH1000-XM5, WH1000-XM6, WF-1000XM5), Marshall (e.g. Major V, Minor IV), Beyerdynamic (e.g. AMIRON 300), or Jabra (e.g. Elite 8 Active).

Airoha is a vendor that, amongst other things, builds Bluetooth SoCs and offers reference designs and implementations incorporating these chips. They have become a large supplier in the Bluetooth audio space, especially in the area of True Wireless Stereo (TWS) earbuds. Several reputable headphone and earbud vendors have built products based on Airoha’s SoCs and reference implementations using Airoha’s Software Development Kit (SDK).

During our Bluetooth Auracast research we stumbled upon a pair of these headphones. During the process of obtaining the firmware for further research we initially discovered the powerful custom Bluetooth protocol called RACE. The protocol provides functionality to take full control of headphones. Data can be written to and read from the device's flash and RAM. h The goal of this presentation is twofold. Firstly, we want to inform about the vulnerabilities. It is important that headphone users are aware of the issues. In our opinion, the vendors have done a very bad job of informing their users about the potential threats and the available security updates. We also want to provide the technical details to understand the issues and enable other researchers to continue working with the platform. With the protocol it is possible to read and write firmware. This opens up the possibility to patch and potentially customize the firmware.

Secondly, we want to discuss the general implications of compromising Bluetooth peripherals. As smart phones are becoming increasingly secure, the focus for attackers might shift to other devices in the environment of the smart phone. For example, when the Bluetooth Link Key, that authenticates a Bluetooth connection between the smart phone and the peripheral is stolen, an attacker might be able to impersonate the peripheral and gain its capabilities.

Speakers of this event

No avatar
Dennis Heinze

Dennis Heinze is a Senior Security Researcher and Penetration Tester at ERNW Enno Rey Netzwerke GmbH. He earned his Master’s degree in IT-Security at TU Darmstadt with a focus on network and system security. In the past, he published research on the Bluetooth technology in the Apple ecosystem with on the analysis and security of Bluetooth protocol implementations. Other work included the research into the security properties of Bluetooth Auracast. In his work at ERNW, the focus of his work is on pentesting mobile and embedded devices as well as their communication and back end systems.

  • Bluetooth Headphone Jacking: A Key to Your Phone
No avatar
Frieder Steinmetz

Frieder Steinmetz works as Senior Security Analyst at ERNW Enno Rey Netzwerke GmbH. He earned his Master’s degree on the security of embedded and cyber-physical devices from the Technical University of Hamburg. He has a background in cryptography, published work on the security of encrypted messaging protocols and malicious USB devices and Bluetooth security. His work focuses on pentesting embedded devices, as well as their back-end communication and infrastructure. He regularly gives Trainings on subjects such as IoT, RFID/NFC Hacking, web application pentesting and communications security.

  • Bluetooth Headphone Jacking: A Key to Your Phone