Imagine chilling with your favorite Sony or Bose headphones, streaming a podcast or jamming to your go-to playlist, unaware that a hacker nearby could turn your earbuds into a spying device. Sounds like a sci-fi thriller, right? Unfortunately, it’s a real possibility thanks to newly discovered vulnerabilities in Bluetooth chips used by some of the biggest audio brands. Here’s what you need to know about this alarming security flaw and how to keep your devices safe.
A Bluetooth Bug That Packs a Punch
Cybersecurity researchers at ERNW recently uncovered three serious vulnerabilities in Airoha Bluetooth chips, commonly found in True Wireless Stereo (TWS) earbuds and headphones from brands like Sony, Bose, JBL, Jabra, Marshall, and JLab. These flaws, presented at the TROOPERS 2025 security conference, could allow hackers within Bluetooth range—roughly 10 meters—to exploit devices without needing to pair or authenticate.
The vulnerabilities, identified as CVE-2025-20700, CVE-2025-20701, and CVE-2025-20702, have severity scores ranging from 6.7 to 9.6 on the CVSS scale, with the latter classified as near-critical. They stem from a custom protocol in Airoha’s Bluetooth System-on-Chip (SoC) that lacks proper authentication, leaving devices open to attacks. Hackers could potentially:
- Eavesdrop on audio streams or conversations via the device’s microphone.
- Steal sensitive data like call logs or contacts.
- Initiate unauthorized calls or even execute malicious code on a connected smartphone.
Popular models like the Sony WH-1000XM6, Bose QuietComfort Earbuds, JBL Live Buds 3, and Marshall Woburn III are among the 29 confirmed affected devices, with potentially millions more at risk due to Airoha’s widespread use in audio products.
How Real Is the Threat?
Before you toss your pricey headphones in a panic, let’s put this in perspective. Exploiting these flaws requires technical expertise and physical proximity, making random attacks unlikely. As ERNW researchers noted, “real attacks are complex to perform,” and the average user isn’t the primary target. High-profile individuals like journalists or diplomats are more likely to be in the crosshairs of such sophisticated, targeted attacks.
Still, the potential for abuse is unsettling. In a proof-of-concept, researchers demonstrated they could read the currently playing media from a vulnerable device. More worryingly, they showed how attackers could hijack a Bluetooth connection to impersonate headphones, access a paired smartphone, and even trigger calls to arbitrary numbers. In extreme cases, this could turn your earbuds into a remote listening device.
What’s Being Done About It?
The good news? Airoha was notified of these issues on March 25, 2025, and released an updated Software Development Kit (SDK) with fixes to manufacturers on June 4. However, the bad news is that, as of late June 2025, most brands like Sony, Bose, and JBL haven’t yet rolled out public firmware updates for affected devices. The fragmented supply chain adds complexity, as some manufacturers may not even know they’re using Airoha chips due to outsourced production.
For now, users are left waiting for patches, which will likely be distributed via proprietary apps like Sony Headphones Connect or JBL Headphones. If you own affected devices, regularly check these apps for firmware updates to ensure your gear is secure.
How To Protect Yourself
While the risk to everyday users is low, it’s wise to take precautions, especially if you use your Bluetooth headphones in public or sensitive environments. Here are some practical steps:
- Update Firmware Promptly: Check your device’s companion app (e.g., Sony Headphones Connect or JBL Headphones) for firmware updates and install them as soon as they’re available.
- Disable Bluetooth in Public: Turn off Bluetooth when you’re not using it, especially in crowded places like cafes or public transit, to minimize exposure. Learn more about securing your smartphone in our guide to keeping your phone safe in rain.
- Avoid Sensitive Conversations: Until patches are confirmed, refrain from using Bluetooth headphones for private calls or discussions.
- Use Trusted Apps for Privacy: Consider exploring privacy-focused tools like those discussed in our best VPNs for Android phones and tablets to bolster your device’s security.
The Bigger Picture: IoT Security Challenges
This Bluetooth flaw underscores a broader issue in the Internet of Things (IoT) ecosystem: even trusted devices can become weak links. With headphones increasingly integrated with digital assistants and smartphones, vulnerabilities like these highlight the need for robust cybersecurity. For more insights on securing connected devices, check out our article on IoT trends and 5G impact.
While Apple’s AirPods are unaffected due to different chipsets, the sheer scale of Airoha’s reach—potentially millions of devices—means this issue could linger until manufacturers act swiftly.
Stay Vigilant, Stay Safe
The Bluetooth vulnerabilities in Airoha chips are a wake-up call for users and manufacturers alike. While the immediate risk to most consumers is low, staying proactive is key. Keep an eye out for firmware updates, practice smart Bluetooth habits, and stay informed about emerging threats. Explore our guide to safeguarding IoT devices for more ways to protect your tech.
