Bluetooth headsets, which we are accustomed to considering harmless gadgets, have suddenly emerged as a potential vector for intrusions into smartphones. Experts published a report detailing several critical flaws in Airoha Bluetooth chips—the very ones used in millions of TWS earphones from renowned brands like Sony, JBL, Marshall, and Jabra. The defect lies within the proprietary diagnostic protocol RACE, which was created for factory debugging of the devices. As it turned out, this protocol remained active in mass-produced earphones and requires no authorization whatsoever. This means that anyone within Bluetooth range can connect to the headset unnoticed by the user. By gaining entry to RACE, an attacker effectively obtains elevated permissions on the device. The report asserts that researchers managed to read and alter the contents of the earphones’ memory and flash storage, as well as extract details about the playing audio. But even more alarming is the fact that due to the absence of a proper pairing process, an attacker can gain direct access to the headset’s microphone, presenting opportunities for covert eavesdropping. The dangers do not end there. Experts dubbed the most concerning scenario “Headphone Jacking.” This exploit allows for extracting the Bluetooth Link Key from the headset’s memory—the cryptographic code used for a trusted connection with the smartphone. With this key, an assailant can impersonate the “native” earphones and connect straight to the victim’s phone. In this situation, the issue is no longer just accessory compromise. Having gained access to the smartphone, the malicious actor can potentially activate the voice assistant, send messages, answer incoming calls, or capture an audio signal without the owner’s knowledge. Essentially, the phone transforms into a remote surveillance tool. The vulnerabilities have been assigned the identifiers CVE-2025-20700, CVE-2025-20701, and CVE-2025-20702. Specialists confirmed their presence in several widespread models—from top-tier Sony WH-1000XM5s to headsets by JBL and Marshall. However, the complete roster of affected devices remains unclear: Airoha chips are utilized too broadly, and the landscape of Bluetooth devices remains quite fragmented.
About the Author
