https://insinuator.net/2025/06/airoha-bluetooth-security-vulnerabilities/
https://archive.is/kK9ja
Security Advisory: Airoha-based Bluetooth Headphones and Earbuds
Any vulnerable device can be compromised if the attacker is in Bluetooth range (note: officially 10m).That is the only precondition.
During our research on Bluetooth headphones and earbuds, we identified several vulnerabilities in devices that incorporate Airoha Systems on a Chip (SoCs). In this blog post, we briefly want to describe the vulnerabilities, point out their impact and provide some context to currently running patch delivery processes as described at this year’s TROOPERS Conference.
Introduction
Airoha is a vendor that, amongst other things, builds Bluetooth SoCs and offers reference designs and implementations incorporating these chips. They have become a large supplier in the Bluetooth audio space, especially in the area of True Wireless Stereo (TWS) earbuds. Several reputable headphone and earbud vendors have built products based on Airoha’s SoCs and reference implementations using Airoha’s Software Development Kit (SDK).
Vulnerability Description
At this point, we do not want to disclose too many details, such as proof of concept code (PoCs) or overly technical information. We want to inform about these vulnerabilities, especially their impact and the difficulties around patching them.
In short, these devices expose a powerful custom protocol that allows manipulating the device by, for example, reading and writing RAM or reading and writing to the flash.We found this protocol to be exposed via BLE GATT to an unpaired attacker. It is also exposed as RFCOMM channel via Bluetooth BD/EDR (also known as Bluetooth Classic). Missing authentication for Bluetooth Classic allows an attacker to use this protocol without pairing with the device. At this point, we decided not to disclose the name of the protocol.
The vulnerabilities are listed under the following CVE numbers that will be published in the future:
CVE-2025-20700: Missing Authentication for GATT Services
CVE-2025-20701: Missing Authentication for Bluetooth BR/EDR
CVE-2025-20702: Critical Capabilities of a Custom Protocol
More information will follow in a detailed blog post and white paper later.
Affected Devices
The SoCs are used in devices such as headsets, earbuds, dongles, speakers, and wireless microphones. However, it is infeasible for us to comprehensively survey and identify all affected products.
During our research, we purchased a number of devices and analyzed devices from friends and colleagues. We can confirm that the issues are prevalent in many entry-level and flagship models. Vendors we confirmed ourselves are Beyerdynamic, Marshall, and Sony. Furthermore, we know of many more devices using the chips that we assume to be vulnerable, too.
The following devices were confirmed to be vulnerable:
Beyerdynamic Amiron 300
Bose QuietComfort Earbuds
EarisMax Bluetooth Auracast Sender
Jabra Elite 8 Active
JBL Endurance Race 2
JBL Live Buds 3
Jlab Epic Air Sport ANC
Marshall ACTON III
Marshall MAJOR V
Marshall MINOR IV
Marshall MOTIF II
Marshall STANMORE III
Marshall WOBURN III
MoerLabs EchoBeatz
Sony CH-720N
Sony Link Buds S
Sony ULT Wear
Sony WF-1000XM3
Sony WF-1000XM4
Sony WF-1000XM5
Sony WF-C500
Sony WF-C510-GFP
Sony WH-1000XM4
Sony WH-1000XM5
Sony WH-1000XM6
Sony WH-CH520
Sony WH-XB910N
Sony WI-C100
Teufel Tatws2
Obviously, this approach does not provide a complete picture of all affected devices. What makes this even more difficult is the observation that some devices are only affected by a subset of these issues. There is at least one vendor that seems to have mitigated CVE-2025-20700 and CVE-2025-20701. Whether this was done on purpose or by accident is unknown to us.
One other issue we identified is that some vendors are not even aware that they are using an Airoha SoC. They have outsourced parts of the development of their device, such as the Bluetooth module. If you are a manufacturer of such a device and are unsure whether your devices might be affected, feel free to contact us.
..,