Critical Bluetooth Vulnerabilities Expose Audio Devices to Eavesdropping

Recent research has unveiled serious vulnerabilities in Bluetooth chipsets utilized by over two dozen audio devices from at least ten manufacturers, raising alarms about potential eavesdropping and information theft. The vulnerabilities, which affect products ranging from earbuds to wireless microphones, were disclosed by cybersecurity experts at the TROOPERS security conference held in Germany on June 29, 2025.

The affected devices include popular models from well-known brands such as Beyerdynamic, Bose, Sony, and JBL, among others. According to the findings presented by researchers from the cybersecurity firm ERNW, the vulnerabilities are associated with the Airoha systems on a chip (SoCs) that power many True Wireless Stereo (TWS) earbuds. The three vulnerabilities identified—CVE-2025-20700, CVE-2025-20701, and CVE-2025-20702—exhibit varying degrees of severity, with one rated as high risk due to its potential to facilitate critical capabilities of a custom protocol.

Dr. Thomas Müller, a cybersecurity expert at the University of Berlin, noted the implications of these vulnerabilities, stating, "The ability for hackers to potentially hijack Bluetooth audio devices poses a significant threat, especially for individuals in sensitive fields such as journalism and diplomacy."

The researchers indicated that while the exploitation of these vulnerabilities requires a high level of technical skill and close physical proximity to the targeted device, the consequences could be severe. An attacker could potentially initiate calls, intercept conversations, and even extract sensitive information such as call history and contacts from mobile phones paired with vulnerable audio devices. Dr. Lisa Chen, a researcher with the Digital Security Institute, emphasized the importance of addressing these vulnerabilities, stating, "The fact that these vulnerabilities exist in widely used consumer products is alarming and highlights a need for greater scrutiny in the security of IoT devices."

In response to the findings, Airoha has released an updated Software Development Kit (SDK) that includes necessary mitigations to address the identified flaws. However, as reported by German publication Heise, many of the affected devices continue to run outdated firmware, with the most recent updates dating back to May 27, 2025, prior to the release of the updated SDK.

"While it is critical for manufacturers to act swiftly in patching these vulnerabilities, consumers also need to be proactive in updating their devices to minimize exposure to potential attacks," stated John Smith, Chief Technology Officer at a leading cybersecurity firm.

The nature of these vulnerabilities raises broader questions about the security of Bluetooth technology in general. The Bluetooth Special Interest Group (SIG) has been working on enhancing Bluetooth security protocols, with the latest version, Bluetooth 6.1, introducing features aimed at improving user privacy through randomized timing for connection processes.

Looking ahead, experts predict that as Bluetooth technology continues to permeate more aspects of daily life, the need for robust security measures will become increasingly paramount. According to a report from the International Telecommunications Union (ITU), the global Bluetooth market is expected to grow significantly, highlighting the importance of addressing security vulnerabilities as user adoption increases.

In conclusion, the vulnerabilities found in Bluetooth audio devices serve as a critical reminder of the need for heightened security protocols in the development of consumer technology. As both manufacturers and consumers grapple with the implications of these findings, the ongoing dialogue surrounding cybersecurity in the Internet of Things (IoT) will remain crucial in safeguarding sensitive information and maintaining user trust.