Bluetooth Flaws May Turn Audio Devices into Spy Tools

Advisory ID: NCC-CSIRT-2025-009

Summary: 

Researchers at the German cybersecurity firm ERNW disclosed three vulnerabilities affecting Airoha Bluetooth SoCs, chipsets commonly used in True Wireless Stereo (TWS) earbuds, headphones, speakers, and microphones from major vendors. The flaws could enable attackers to hijack devices within ~10 m Bluetooth range, access call history, contacts, audio streams, and even remotely activate microphones via the Hands-Free Profile (HFP). 

Damage/Probability: MEDIUM/Critical

Product(s): 

• Sony Microphone
• Bose QuietComfort/Noise Cancelling Earbuds
• JBL Live Earbuds
• Beyerdynamic Amiron Microphone
• Marshall ACTON/MAJOR/STANMORE Microphone
• Jabra Elite Microphone

Version(s): 

• Sony (e.g., WH‑1000XM3/4/5)
• All versions of Bose QuietComfort/Noise Cancelling Earbuds,
• JBL Live Buds 3
• Beyerdynamic Amiron 300
• All versions of Marshall ACTON/MAJOR/STANMORE
• Jabra Elite 8 Active

Platform(s): 

Bluetooth

Description: 

The researchers identified three security vulnerabilities in Airoha Bluetooth System-on-Chip (SoC) firmware used in a wide range of Bluetooth audio devices. These flaws exist in both Bluetooth Classic and Bluetooth Low Energy (BLE) protocols and primarily affect devices implementing the Hands-Free Profile (HFP) and proprietary debug interfaces.

      1. CVE-2025-20700 – Unauthenticated GATT Access over BLE

• Airoha SoCs expose BLE GATT services without proper access control. An attacker in range (~10 meters) can perform unauthenticated reads and writes to GATT characteristics. This allows:

  • Extraction of metadata (e.g., media status, battery level)
  • Memory manipulation and limited device control

   2. CVE-2025-20701 – Unauthorized Access via Bluetooth Classic

  Bluetooth Classic implementations fail to enforce authentication before accepting control commands. An attacker can:

  • Connect to the device without pairing
  • Hijack control channels used for media playback and HFP
  • Initiate silent calls and activate voice assistants

   3. CVE-2025-20702 – Exploitable Debug Protocol

  Airoha firmware includes an undocumented debug protocol accessible over Bluetooth. This allows attackers to:

  • Dump RAM and Flash memory
  • Extract Bluetooth link keys and other sensitive data
  • Inject or alter memory contents
  • Activate microphone and audio streams remotely

   The exploitation Conditions include:

  • Proximity: All exploits require physical proximity (typically <10 m).
  • No user interaction: Attacks can be carried out without pairing or user consent.
  • Complexity: While requiring specialized knowledge, tools and public documentation lower the barrier for advanced attackers.
  This combination of flaws enables remote memory access, device control, and audio surveillance, compromising the security guarantees of modern Bluetooth peripherals.

Impacts: 

The flaws let nearby attackers secretly turn Bluetooth audio devices into listening tools, steal call data, and access device memory, posing a serious privacy and surveillance risk.

Solutions: 

• Check for firmware updates from device vendors regularly—many are only beginning to release patches following Airoha’s SDK update.
• Temporarily disable Bluetooth or set devices to undiscoverable, especially in sensitive environments.
• Avoid using vulnerable audio devices where confidentiality is critical (e.g., meetings, investigations).

References:

• https://www.bleepingcomputer.com/news/security/bluetooth-flaws-could-let-hackers-spy-through-your-microphone/

• https://www.techradar.com/pro/security/this-worrying-bluetooth-security-flaw-could-let-hackers-spy-on-your-device-via-microphone

• https://www.archynewsy.com/bluetooth-security-hacker-microphone-spy-risk/#google_vignette

• https://www.blackhatethicalhacking.com/news/bluetooth-bugs-in-sony-bose-jbl-devices-could-let-hackers-spy-or-place-calls/#google_vignette