I don't have time right now to watch the video and will be coming back to do so later, but here's a couple of snippets from the text on that page that made me want to bother watching (either they're overhyping it, or it sounds interesting and significant)
> The identified vulnerabilities may allow a complete device compromise. We demonstrate the immediate impact using a pair of current-generation headphones. We also demonstrate how a compromised Bluetooth peripheral can be abused to attack paired devices, like smartphones, due to their trust relationship with the peripheral.
> This presentation will give an overview over the vulnerabilities and a demonstration and discussion of their impact. We also generalize these findings and discuss the impact of compromised Bluetooth peripherals in general. At the end, we briefly discuss the difficulties in the disclosure and patching process. Along with the talk, we will release tooling for users to check whether their devices are affected and for other researchers to continue looking into Airoha-based devices.
[...]
> It is important that headphone users are aware of the issues. In our opinion, some of the device manufacturers have done a bad job of informing their users about the potential threats and the available security updates. We also want to provide the technical details to understand the issues and enable other researchers to continue working with the platform. With the protocol it is possible to read and write firmware. This opens up the possibility to patch and potentially customize the firmware.
And everyone got mad at OpenBSD for refusing to develop bluetooth.
It’s a messy standard and we shouldn’t be surprised that the race to the bottom has left some major gaps.. though Sony WH1000’s are premium tier hardware and they have no real excuses..
I always wondered how people could justify the growth of the bluetooth headphone market in such a way.. Everyone seems to use bluetooth headphones exclusively (in Sweden at least), I’m guilty of buying into it too (I own both Airpods Pro’s and the affected Sony WH1000-XM5) but part of me has always known that bluetooth is just hacks on hacks… I allowed myself to be persuaded due to popularity. Scary.
I was also trying to debug bluetooth “glitching audio” issues and tried to figure out signal strength as the first troubleshooting step: I discovered that people don’t even expose signal strength anymore… the introspection into what’s happening extends literally nowhere, including not showing signal strength… truly, the whole thing is cursed and I’m shocked it works for the masses the way it does.. can you imagine not displaying wifi signal strength?
> part of me has always known that bluetooth is just hacks on hacks… I allowed myself to be persuaded due to popularity. Scary.
Is it scary? Bluetooth is wildly convenient, and mostly works most of the time. There are definite software issues, and there are security issues, but for most of us, we're not going to run into them that often. (Well, ok - maybe not for most of the people on this site.)
I'm going to continue using my bluetooth headphones, because the odds of a nefarious hacker with a linux laptop attacking me directly are wildly low. In terms of security, my time & money would be better spent buying a steering0-wheel-lock-bar for my car, or a mechanical timer that will turn the lights on & off in my house randomly at night.
This has been a lie since day one. The Sony Xperia line has been waterproof for over 10 years and continues to have a headphone jack and an SD card slot. That with their minimal Android tweaks is the main reason to even consider their phones.
Ah yes, the removal of headphone jacks, the gift that keeps on giving
Funny that there were always some people here pushing bt audio as "the future", whom I can only assume were the technically shallow but very opinionated people that would die on the smallest technical hills
Haven't watched the video yet, but I think this capability was leaked by VP Kamala Harris during her recent interview with the Late Night Show [0]. She stated she doesn't use wireless headphones because she's been in security meetings and knows they're not safe.
I guess what she was trying to say is "Anything wireless is bad in term of security". We don't really know whether the bad guy already has technology to decode wireless protocol we are going to use, so it's best to assume they already have and reduce the attack surface for them.
There is little encryption being done by bluetooth, while wifi, many layers add their own encryption to the data.
Glad this submission is finally receiving upvotes.
This was just shown at the 39C3 in Hamburg, few days back.
Common (unpached) Bluetooth headsets using Airoha's SoCs can be completely taken over by any unauthenticated bystander with a Linux laptop. (CVE-2025-20700, CVE-2025-20701, CVE-2025-20702)
This includes firmware dumps, user preferences, Bluetooth Classic session keys, current playing track, ...
> Examples of affected vendors and devices are Sony (e.g., WH1000-XM5, WH1000-XM6, WF-1000XM5), Marshall (e.g. Major V, Minor IV), Beyerdynamic (e.g. AMIRON 300), or Jabra (e.g. Elite 8 Active).
Most vendors gave the security researchers either silent treatment or were slow, even after Airoha published fixes. Jabra was one of the positive outlier, Sony unfortunately negatively.
What is exciting, even though the flaws are awful, that it is unlikely for current generation of those Airoha bluetooth headsets to change away from Aiorha's Bluetooth LE "RACE" protocol. This means there is great opportunity for Linux users to control their Bluetooth headsets, which for example is quite nice in an office setting to toggle "hearthrough" when toggling volume "mute" on your machine.
I feel like this should receive state-level attention, the remote audio surveillance of any headset can be a major threat. I wonder what the policies in countries official buildings are when it comes to Bluetooth audio devices, considering that Jabra is a major brand for conference speakers, I'd assume some actual espionage threats.
These (and others?) actually have a wired option (even provide the cable) for listening. Sadly the built-in microphone doesn't work in 'wired mode' (though ANC does).
You could get at at "cable boom microphone", e.g.:
Most audiophiles ignore bluetooth headphones due to sound quality + latency, so we (audiophiles) stick to wired at home and we also have dedicated headphone amps since the pissy sound card D/A convertors are incredibly bad. Bluetooth only when I’m doing yard work. Sadly, modern music is tuned to crappy headphones, crappy car systems, crappy speakers … I miss the 80’s audiophile obsession, the equipment had heart, and mixing and mastering was generations ahead of current (mainstream) music production.
From a security point of view music listening is quite marginal, I think. The vulnerable headsets make conversations trivial to eavesdrop.
Average communication input is in a noisy environment (colleagues, family, wind, equipment, car), and is compressed both in the dynamic range and bitrate sense before sending out. The transport medium then provides latency and packet loss. The fidelity of the audio equipment on the receiving side plays very little role. I imagine even audiophiles quite readily use even below mid-range wireless headsets for conversations, just because they are more convenient.
In other words, I don't take calls on my wired AKG headphones, even though my phone has a 3.5mm jack. I'm particularly fond of my €30 in-ear BT headset that provides good enough input and output even when I'm biking. I can't be bothered to check if the model is on the vulnerable devices list, the phone company / Meta / Alphabet / some governments and so on can surveil my communications anyway. Adding a random passer-by to the mix does not meaningfully increase the attack surface. Plus they might get to listen to awesome music, if I'm not on a call.
This is just a chip with debug mode left on and does not allow anyone to hijack audio stream or anything interesting. (Just in case anyone’s checking the comments because they don’t want to watch a long ass video and they notice all the comments are essentially off topic)
Sounds like you should have actually watched the “long ass video”.
It allows the pairing key to be exfiltrated from the compromised device and an external, attacker controlled device to perform any function the original device could. This includes retrieving the paired devices phone number, answering phone calls, and receiving the audio. They live demo hijacking a whatsapp account using this.
> We also demonstrate how a compromised Bluetooth peripheral can be abused to attack paired devices, like smartphones, due to their trust relationship with the peripheral.
Can't watch the video now. But I wonder to what extent they can take over a smartphone? Can they make a headphone look like a keyboard/mouse, for example?
Second question: can the whole problem be remedied by installing a firmware update?
checking my understanding: this vuln is in the firmware for specific airoha chipsets; e.g. if a bluetooth device is listed as using a qualcomm chipset then it's unaffected by this specific vuln?
... though I wouldn't be surprised if we see a burst of similar disclosures for other manufacturers in the next year or so
I couldn't find anything from Sony confirming that these specific vulnerabilities had been patched, so i tried to reproduce the steps from the whitepaper using nRF Connect [1] with my Sony WH-1000XM4 on the latest firmware version.
There was no response to the Get Build Version command, and the Read Flash command returned an error. So tentatively (with false negatives possible), it seems to have been patched on Sony devices. I don't have a linux box with bluetooth handy ATM so I didn't try using the race-toolkit directly.
I didn't see a summary in here so based on my reading:
* Certain headset devices from varying vendors have crappy BT security over both bluetooth classic and BLE
* They implement a custom protocol called RACE which can do certain things with no authentication at all
* One of the things RACE lets you do is read arbitrary memory and exfiltrate keys needed to impersonate the vulnerable device with your already-paired phone
* Once you're impersonating the vulnerable device you can do all sorts of things on the paired phone like place/accept calls, listen on the microphone, etc.
This is pretty bad and you can easily see this being used to bypass other layers of auth like SMS verification or "have a robot call me and read me a code." It also makes me wonder if a spoofed device could appear as a HID device (e.g. a keyboard), but it's unclear whether the link key compromise works for new device classes.
So the way to mitigate this is to be certain you don't have one of the vulnerable peripherals or to disable BT. Note that the list of device models sounds *far* from complete because it's a chipset issue. Which makes me wonder if there are cars out there using this chipset and exposing the same vulns. I'd be very interested if anyone has a source on whether any cars use these chipsets.
Is there a fuller list of headsets that are affected being maintained anywhere? I could not find it. Since most manufacturers tend to reuse components, we can expect that more Sony stuff is affected, and probably more JBL/Jabra/Bose/Marshall that they didn't have access to.
Based on their timeline, full credit to Beyerdynamic!
Partial credit to Airoha, they took a long time to initiate the communications, but once they did, they seemed to take it seriously.
No credit to Sony and Marshall, as they either didn't, or effectively didn't, respond.
Unknown credit to Bose, JBL, Jabril, EarisMax, MoerLabs, and Teufel, as they don't appear in the timeline.
33 comments
[ 2.7 ms ] story [ 50.7 ms ] thread> The identified vulnerabilities may allow a complete device compromise. We demonstrate the immediate impact using a pair of current-generation headphones. We also demonstrate how a compromised Bluetooth peripheral can be abused to attack paired devices, like smartphones, due to their trust relationship with the peripheral.
> This presentation will give an overview over the vulnerabilities and a demonstration and discussion of their impact. We also generalize these findings and discuss the impact of compromised Bluetooth peripherals in general. At the end, we briefly discuss the difficulties in the disclosure and patching process. Along with the talk, we will release tooling for users to check whether their devices are affected and for other researchers to continue looking into Airoha-based devices.
[...]
> It is important that headphone users are aware of the issues. In our opinion, some of the device manufacturers have done a bad job of informing their users about the potential threats and the available security updates. We also want to provide the technical details to understand the issues and enable other researchers to continue working with the platform. With the protocol it is possible to read and write firmware. This opens up the possibility to patch and potentially customize the firmware.
It’s a messy standard and we shouldn’t be surprised that the race to the bottom has left some major gaps.. though Sony WH1000’s are premium tier hardware and they have no real excuses..
I always wondered how people could justify the growth of the bluetooth headphone market in such a way.. Everyone seems to use bluetooth headphones exclusively (in Sweden at least), I’m guilty of buying into it too (I own both Airpods Pro’s and the affected Sony WH1000-XM5) but part of me has always known that bluetooth is just hacks on hacks… I allowed myself to be persuaded due to popularity. Scary.
I was also trying to debug bluetooth “glitching audio” issues and tried to figure out signal strength as the first troubleshooting step: I discovered that people don’t even expose signal strength anymore… the introspection into what’s happening extends literally nowhere, including not showing signal strength… truly, the whole thing is cursed and I’m shocked it works for the masses the way it does.. can you imagine not displaying wifi signal strength?
Is it scary? Bluetooth is wildly convenient, and mostly works most of the time. There are definite software issues, and there are security issues, but for most of us, we're not going to run into them that often. (Well, ok - maybe not for most of the people on this site.)
I'm going to continue using my bluetooth headphones, because the odds of a nefarious hacker with a linux laptop attacking me directly are wildly low. In terms of security, my time & money would be better spent buying a steering0-wheel-lock-bar for my car, or a mechanical timer that will turn the lights on & off in my house randomly at night.
Funny that there were always some people here pushing bt audio as "the future", whom I can only assume were the technically shallow but very opinionated people that would die on the smallest technical hills
[0] https://youtu.be/BD8Nf09z_38 (Timestamp 18:40)
There is little encryption being done by bluetooth, while wifi, many layers add their own encryption to the data.
This was just shown at the 39C3 in Hamburg, few days back.
Common (unpached) Bluetooth headsets using Airoha's SoCs can be completely taken over by any unauthenticated bystander with a Linux laptop. (CVE-2025-20700, CVE-2025-20701, CVE-2025-20702)
This includes firmware dumps, user preferences, Bluetooth Classic session keys, current playing track, ...
> Examples of affected vendors and devices are Sony (e.g., WH1000-XM5, WH1000-XM6, WF-1000XM5), Marshall (e.g. Major V, Minor IV), Beyerdynamic (e.g. AMIRON 300), or Jabra (e.g. Elite 8 Active).
Most vendors gave the security researchers either silent treatment or were slow, even after Airoha published fixes. Jabra was one of the positive outlier, Sony unfortunately negatively.
What is exciting, even though the flaws are awful, that it is unlikely for current generation of those Airoha bluetooth headsets to change away from Aiorha's Bluetooth LE "RACE" protocol. This means there is great opportunity for Linux users to control their Bluetooth headsets, which for example is quite nice in an office setting to toggle "hearthrough" when toggling volume "mute" on your machine.
RACE Reverse Engineered - CLI Tool: https://github.com/auracast-research/race-toolkit
I feel like this should receive state-level attention, the remote audio surveillance of any headset can be a major threat. I wonder what the policies in countries official buildings are when it comes to Bluetooth audio devices, considering that Jabra is a major brand for conference speakers, I'd assume some actual espionage threats.
These (and others?) actually have a wired option (even provide the cable) for listening. Sadly the built-in microphone doesn't work in 'wired mode' (though ANC does).
You could get at at "cable boom microphone", e.g.:
* https://www.amazon.com/dp/B07W3GGRF2
* https://www.amazon.com/dp/B00BJ17WKK
Maybe the XM7 will have it (along with wired audio controls) via a CTIA/AHJ TRRS plug:
* https://en.wikipedia.org/wiki/Phone_connector_(audio)#TRRS_s...
or via USB audio.
Average communication input is in a noisy environment (colleagues, family, wind, equipment, car), and is compressed both in the dynamic range and bitrate sense before sending out. The transport medium then provides latency and packet loss. The fidelity of the audio equipment on the receiving side plays very little role. I imagine even audiophiles quite readily use even below mid-range wireless headsets for conversations, just because they are more convenient.
In other words, I don't take calls on my wired AKG headphones, even though my phone has a 3.5mm jack. I'm particularly fond of my €30 in-ear BT headset that provides good enough input and output even when I'm biking. I can't be bothered to check if the model is on the vulnerable devices list, the phone company / Meta / Alphabet / some governments and so on can surveil my communications anyway. Adding a random passer-by to the mix does not meaningfully increase the attack surface. Plus they might get to listen to awesome music, if I'm not on a call.
Now I need to setup to check if my headphones are still vulnerable...
It allows the pairing key to be exfiltrated from the compromised device and an external, attacker controlled device to perform any function the original device could. This includes retrieving the paired devices phone number, answering phone calls, and receiving the audio. They live demo hijacking a whatsapp account using this.
Can't watch the video now. But I wonder to what extent they can take over a smartphone? Can they make a headphone look like a keyboard/mouse, for example?
Second question: can the whole problem be remedied by installing a firmware update?
https://news.ycombinator.com/item?id=46406310
... though I wouldn't be surprised if we see a burst of similar disclosures for other manufacturers in the next year or so
https://www.cvefind.com/en/cve/CVE-2025-20700.html
https://www.cvefind.com/en/cve/CVE-2025-20701.html
https://www.cvefind.com/en/cve/CVE-2025-20702.html
There was no response to the Get Build Version command, and the Read Flash command returned an error. So tentatively (with false negatives possible), it seems to have been patched on Sony devices. I don't have a linux box with bluetooth handy ATM so I didn't try using the race-toolkit directly.
[1] https://static.ernw.de/whitepaper/ERNW_White_Paper_74_1.0.pd...
So the way to mitigate this is to be certain you don't have one of the vulnerable peripherals or to disable BT. Note that the list of device models sounds *far* from complete because it's a chipset issue. Which makes me wonder if there are cars out there using this chipset and exposing the same vulns. I'd be very interested if anyone has a source on whether any cars use these chipsets.
Don't see any mentions on their last firmware update, and I can't find older ones.
It’s possible they weren’t vulnerable to begin with, it’s also possible they silently patched it.
https://www.bleepingcomputer.com/news/security/undocumented-...
Based on their timeline, full credit to Beyerdynamic!
Partial credit to Airoha, they took a long time to initiate the communications, but once they did, they seemed to take it seriously.
No credit to Sony and Marshall, as they either didn't, or effectively didn't, respond.
Unknown credit to Bose, JBL, Jabril, EarisMax, MoerLabs, and Teufel, as they don't appear in the timeline.