Bluetooth Security Flaws Linked to Popular Wireless Headphones

The disclosure has sparked concern that a large number of devices could be exposed to silent attacks within normal Bluetooth range. The issue came to light following a technical disclosure scheduled for the Chaos Communication Congress (39C3) in late December last year. Researchers outlined three vulnerabilities, reported as CVE-2025-20700, CVE-2025-20701 and CVE-2025-20702, affecting certain Bluetooth audio devices.

At the centre of the disclosure is an internal debug protocol known as RACE, originally intended for factory testing and firmware updates. According to the researchers, this protocol remained active on some production devices and could be accessed over Bluetooth Low Energy and Bluetooth Classic without authentication, something that was never meant to happen outside the factory.

In practical terms, an attacker within Bluetooth range could connect to a vulnerable headset without any user interaction, extract Bluetooth link keys from device memory, and impersonate the headphones to a previously paired smartphone. That could open the door to unauthorised access to call handling, voice assistants and other headset level functions, all without triggering a new pairing prompt on the phone.

Several cybersecurity outlets have independently confirmed the existence of the vulnerabilities and their technical basis, verifying that the CVEs are legitimate and that affected firmware builds are in circulation. What remains less clear is how often these flaws are being exploited outside controlled research environments.

Researchers have identified a range of affected products from major consumer audio brands, including models sold by Sony, Bose, JBL, Marshall and Jabra. Importantly, the issue does not appear to stem from brand specific software, but from shared Bluetooth hardware supplied by Airoha, a chipset manufacturer whose components are widely used across the audio industry.

Reports suggest Airoha supplied fixes to OEM partners in early 2025, though patch adoption appears mixed. While some manufacturers have since released firmware updates, others have yet to publicly address the issue. Because updates are typically delivered via companion apps, patched firmware may not be reaching devices at scale. This is hardly surprising. How often do most people actually open their headphone app once everything is set up?

Not all claims circulating online have been independently verified. While researchers have demonstrated headset impersonation and unauthorised Bluetooth access in lab conditions, reports of widespread consumer exploitation or account takeovers remain unconfirmed at the time of writing. Any real world attacks would still require proximity and a fair degree of technical expertise.

Apple’s AirPods are not believed to be affected, as they use a different Bluetooth architecture. For owners potentially affected, the immediate advice is to ensure headphone firmware is up to date, remove unused Bluetooth pairings, and disable Bluetooth when it is not needed. Users operating in higher risk environments may also wish to consider wired headphones for added peace of mind.

The episode highlights how deeply headphones are now integrated into smartphones and digital assistants, and how security, once secondary to sound quality and convenience, has become a core design responsibility. We will update this story as further information becomes available.

Join the discussion