Bluetooth Headphone Jacking: A Key to Your Phone [video]

2026-01-0111:17551223media.ccc.de

Bluetooth headphones and earbuds are everywhere, and we were wondering what attackers could abuse them for. Sure, they can probably do th...

Show article

Dennis Heinze and Frieder Steinmetz

One Security Playlists: '39c3' videos starting here / audio

Bluetooth headphones and earbuds are everywhere, and we were wondering what attackers could abuse them for. Sure, they can probably do things like finding out what the person is currently listening to. But what else? During our research we discovered three vulnerabilities (CVE-2025-20700, CVE-2025-20701, CVE-2025-20702) in popular Bluetooth audio chips developed by Airoha. These chips are used by many popular device manufacturers in numerous Bluetooth headphones and earbuds.

The identified vulnerabilities may allow a complete device compromise. We demonstrate the immediate impact using a pair of current-generation headphones. We also demonstrate how a compromised Bluetooth peripheral can be abused to attack paired devices, like smartphones, due to their trust relationship with the peripheral.

This presentation will give an overview over the vulnerabilities and a demonstration and discussion of their impact. We also generalize these findings and discuss the impact of compromised Bluetooth peripherals in general. At the end, we briefly discuss the difficulties in the disclosure and patching process. Along with the talk, we will release tooling for users to check whether their devices are affected and for other researchers to continue looking into Airoha-based devices.

Examples of affected vendors and devices are Sony (e.g., WH1000-XM5, WH1000-XM6, WF-1000XM5), Marshall (e.g. Major V, Minor IV), Beyerdynamic (e.g. AMIRON 300), or Jabra (e.g. Elite 8 Active).

Airoha is a vendor that, amongst other things, builds Bluetooth SoCs and offers reference designs and implementations incorporating these chips. They have become a large supplier in the Bluetooth audio space, especially in the area of True Wireless Stereo (TWS) earbuds. Several reputable headphone and earbud vendors have built products based on Airoha’s SoCs and reference implementations using Airoha’s Software Development Kit (SDK).

During our Bluetooth Auracast research we stumbled upon a pair of these headphones. During the process of obtaining the firmware for further research we initially discovered the powerful custom Bluetooth protocol called *RACE*. The protocol provides functionality to take full control of headphones. Data can be written to and read from the device's flash and RAM.

The goal of this presentation is twofold. Firstly, we want to inform about the vulnerabilities. It is important that headphone users are aware of the issues. In our opinion, some of the device manufacturers have done a bad job of informing their users about the potential threats and the available security updates. We also want to provide the technical details to understand the issues and enable other researchers to continue working with the platform. With the protocol it is possible to read and write firmware. This opens up the possibility to patch and potentially customize the firmware.

Secondly, we want to discuss the general implications of compromising Bluetooth peripherals. As smart phones are becoming increasingly secure, the focus for attackers might shift to other devices in the environment of the smart phone. For example, when the Bluetooth Link Key, that authenticates a Bluetooth connection between the smart phone and the peripheral is stolen, an attacker might be able to impersonate the peripheral and gain its capabilities.

Licensed to the public under http://creativecommons.org/licenses/by/4.0

Download

By miduil 2026-01-0113:1711 reply

Glad this submission is finally receiving upvotes.

This was just shown at the 39C3 in Hamburg, few days back.

Common (unpached) Bluetooth headsets using Airoha's SoCs can be completely taken over by any unauthenticated bystander with a Linux laptop. (CVE-2025-20700, CVE-2025-20701, CVE-2025-20702)

This includes firmware dumps, user preferences, Bluetooth Classic session keys, current playing track, ...

> Examples of affected vendors and devices are Sony (e.g., WH1000-XM5, WH1000-XM6, WF-1000XM5), Marshall (e.g. Major V, Minor IV), Beyerdynamic (e.g. AMIRON 300), or Jabra (e.g. Elite 8 Active).

Most vendors gave the security researchers either silent treatment or were slow, even after Airoha published fixes. Jabra was one of the positive outlier, Sony unfortunately negatively.

What is exciting, even though the flaws are awful, that it is unlikely for current generation of those Airoha bluetooth headsets to change away from Aiorha's Bluetooth LE "RACE" protocol. This means there is great opportunity for Linux users to control their Bluetooth headsets, which for example is quite nice in an office setting to toggle "hearthrough" when toggling volume "mute" on your machine.

RACE Reverse Engineered - CLI Tool: https://github.com/auracast-research/race-toolkit

I feel like this should receive state-level attention, the remote audio surveillance of any headset can be a major threat. I wonder what the policies in countries official buildings are when it comes to Bluetooth audio devices, considering that Jabra is a major brand for conference speakers, I'd assume some actual espionage threats.

By willnix 2026-01-0119:413 reply

One of the researchers here. Many people seem to prefer text to videos, which I sympathize with. So please excuse me hijacking the top comment with links to our blog post and white paper:

Blog: https://insinuator.net/2025/12/bluetooth-headphone-jacking-f...

Paper: https://ernw.de/en/publications.html

By CGMthrowaway 2026-01-020:452 reply

Kamala Harris, citing seemingly classified intelligence, famously raised the alarm on Bluetooth earphones to Stephen Colbert:

“I know I've been teased about this, but I like these kinds of earpods that have the thing [pointing to the wire] because I served on the Senate Intelligence Committee. I have been in classified briefings, and I'm telling you, don't be on the train using your earpods thinking somebody can't listen to your conversation.”

https://www.aol.com/kamala-harris-warns-against-wireless-150...

By mschuster91 2026-01-0118:29

> This means there is great opportunity for Linux users to control their Bluetooth headsets, which for example is quite nice in an office setting to toggle "hearthrough" when toggling volume "mute" on your machine.

Fun fact: There are at least two applications that reverse engineered AirPods' communication protocol for custom controls - AndroPods from 2020 [1] and LibrePods from 2024 [2].

But... mainstream Android has a bug open in their Bluetooth stack for well over a year now that prevents issuing the commands, meaning to actually use the app you need root rights [3].

[1] https://play.google.com/store/apps/details?id=pro.vitalii.an...

[2] https://github.com/kavishdevar/librepods/tree/main

[3] https://issuetracker.google.com/issues/371713238

By IshKebab 2026-01-0114:172 reply

Is this an unintentional vulnerability or is it one of those "we left it open because it's easier and we hoped nobody would notice" kind of things. I mean can you just send a "update to this firmware" command completely unauthenticated and it's like "yep sure"? No signing or anything?

By Namidairo 2026-01-0114:211 reply

> Most vendors gave the security researchers either silent treatment or were slow, even after Airoha published fixes. Jabra was one of the positive outlier, Sony unfortunately negatively.

While I don't recall Sony issuing an advisory, I believe the users of their app would have started getting update notifications since they (quietly) released firmware updates.

I think most vendors are using custom services with their own UUIDs for settings such as this.

Regardless, I believe there are open client implementations for some of the more popular devices. Gadgetbridge comes to mind in regards to Android, not sure about any Linux equivalent.

By macintux 2026-01-0113:322 reply

> Glad this submission is finally receiving upvotes.

Speaking for myself, I have very little patience for technical videos, so I don't believe I've ever upvoted a YouTube submission.

By throw0101a 2026-01-023:06

> WH1000-XM6

These (and others?) actually have a wired option (even provide the cable) for listening. Sadly the built-in microphone doesn't work in 'wired mode' (though ANC does).

You could get at at "cable boom microphone", e.g.:

* https://www.amazon.com/dp/B07W3GGRF2

* https://www.amazon.com/dp/B00BJ17WKK

Maybe the XM7 will have it (along with wired audio controls) via a CTIA/AHJ TRRS plug:

* https://en.wikipedia.org/wiki/Phone_connector_(audio)#TRRS_s...

or via USB audio.

By wolvoleo 2026-01-0118:35

Cool! Can you play audio to them too? That would be a practical joker's dream lol.

I'm not surprised Jabra acted quickly. They mainly sell too enterprise which generally care very much about security. Sony is more a consumer mfg now.

By mi_lk 2026-01-0114:402 reply

> This includes firmware dumps, user preferences, Bluetooth Classic session keys, current playing track, ..

That doesn't sound very serious if they're exposed, is it? Can it be used to eavesdrop my conversation if I'm speaking through the headphone

By keepamovin 2026-01-0114:54

Finally, a coherent explanation of AirPods glitches ;)

By bgbntty2 2026-01-0114:202 reply

Remote audio surveillance probably be accomplished on wired headphones with TEMPEST [0]/Van Eck phreaking [1]. Not sure about which has a better range and which would be stealthier - TEMPEST or the Bluetooth attack. The Bluetooth attack just requires a laptop. Not sure if the TEMPEST attack would require a big antenna.

[0] https://en.wikipedia.org/wiki/Tempest_(codename)

[1] https://en.wikipedia.org/wiki/Van_Eck_phreaking

By dijit 2026-01-0112:496 reply

And everyone got mad at OpenBSD for refusing to develop bluetooth.

It’s a messy standard and we shouldn’t be surprised that the race to the bottom has left some major gaps.. though Sony WH1000’s are premium tier hardware and they have no real excuses..

I always wondered how people could justify the growth of the bluetooth headphone market in such a way.. Everyone seems to use bluetooth headphones exclusively (in Sweden at least), I’m guilty of buying into it too (I own both Airpods Pro’s and the affected Sony WH1000-XM5) but part of me has always known that bluetooth is just hacks on hacks… I allowed myself to be persuaded due to popularity. Scary.

I was also trying to debug bluetooth “glitching audio” issues and tried to figure out signal strength as the first troubleshooting step: I discovered that people don’t even expose signal strength anymore… the introspection into what’s happening extends literally nowhere, including not showing signal strength… truly, the whole thing is cursed and I’m shocked it works for the masses the way it does.. can you imagine not displaying wifi signal strength?

By stefan_ 2026-01-0113:112 reply

This is not a Bluetooth issue. The chip manufacturer Airoha just felt it acceptable to ship a wireless debug interface that allows reading the SoC memory with no authentication whatsoever, enabled in retail customer builds. They are just not a serious company (which is why their security email didn't work, either).

By pavel_lishin 2026-01-0213:282 reply

> part of me has always known that bluetooth is just hacks on hacks… I allowed myself to be persuaded due to popularity. Scary.

Is it scary? Bluetooth is wildly convenient, and mostly works most of the time. There are definite software issues, and there are security issues, but for most of us, we're not going to run into them that often. (Well, ok - maybe not for most of the people on this site.)

I'm going to continue using my bluetooth headphones, because the odds of a nefarious hacker with a linux laptop attacking me directly are wildly low. In terms of security, my time & money would be better spent buying a steering0-wheel-lock-bar for my car, or a mechanical timer that will turn the lights on & off in my house randomly at night.

By raverbashing 2026-01-0113:091 reply

Sometimes plugging a cord is a minor inconvenience.

But sometimes it's a large inconvenience

Example: if I'm using my laptop for work but at a slightly longer distance (think, using external monitor/keyboard) then it gets annoying (cord has to hang from the connection, or it gets between you and the keyboard, etc)

By pyvpx 2026-01-0113:002 reply

Some of us kept using OpenBSD (longer than they should’ve?) because of that and a few other related decisions.

So who is everyone, in your meaning?

By amelius 2026-01-0115:556 reply

Honestly, can't we just ditch BT and send audio over WiFi?

One thing less to worry about.

By jorvi 2026-01-0115:27

> And everyone got mad at OpenBSD for refusing to develop bluetooth.

Alright, so when is OpenBSD patching out USB support? Such a giant exploit vector.

By cloudfudge 2026-01-0120:53

I didn't see a summary in here so based on my reading:

  * Certain headset devices from varying vendors have crappy BT security over both bluetooth classic and BLE
  * They implement a custom protocol called RACE which can do certain things with no authentication at all
  * One of the things RACE lets you do is read arbitrary memory and exfiltrate keys needed to impersonate the vulnerable device with your already-paired phone
  * Once you're impersonating the vulnerable device you can do all sorts of things on the paired phone like place/accept calls, listen on the microphone, etc.

This is pretty bad and you can easily see this being used to bypass other layers of auth like SMS verification or "have a robot call me and read me a code." It also makes me wonder if a spoofed device could appear as a HID device (e.g. a keyboard), but it's unclear whether the link key compromise works for new device classes.

So the way to mitigate this is to be certain you don't have one of the vulnerable peripherals or to disable BT. Note that the list of device models sounds *far* from complete because it's a chipset issue. Which makes me wonder if there are cars out there using this chipset and exposing the same vulns. I'd be very interested if anyone has a source on whether any cars use these chipsets.

Hacker News