Bluetooth headphones, which many consider a safe accessory, have unexpectedly become vulnerable to attacks on smartphones. A new study has revealed several critical vulnerabilities in Airoha Bluetooth chips, which are used in millions of TWS headphones from brands such as Sony, JBL, Marshall, and Jabra, according to media reports.
The root of the problem lies in the RACE diagnostic protocol, which is intended for factory debugging. It turns out that it remains active in production headphones and does not require authentication. This means that anyone within Bluetooth range can connect to the headset without the owner's knowledge. Access to RACE gives an attacker elevated privileges on the device.
The report states that researchers were able not only to read and modify data in the memory and flash storage of the headphones but also to obtain information about the content being played. However, the most alarming aspect is that the lack of a proper device pairing process allows an attacker to access the headset's microphone. This opens the door to covert eavesdropping. Moreover, the researchers highlighted a scenario they called "Headphone Jacking." This exploit can extract the Bluetooth Link Key from the headset's memory—a cryptographic key necessary for a secure connection to a smartphone. With it, a hacker can impersonate "native" headphones and connect directly to the victim's phone.
In this case, it is not just about compromising an accessory. Gaining access to the smartphone, an attacker can activate the voice assistant, send messages, answer calls, or intercept audio streams without notifying the owner. Thus, the device effectively becomes a surveillance tool. The vulnerabilities have been identified as CVE-2025-20700, CVE-2025-20701, and CVE-2025-20702. The study confirmed the presence of these vulnerabilities in several popular models, including the flagship Sony WH-1000XM5 and JBL and Marshall headphones.
However, a complete list of affected devices has not yet been established, as Airoha chips are used too widely, and the Bluetooth device ecosystem remains highly fragmented.
