Hackers can listen in on your headphones: Sony, Bose, Marshall, and other major brands affected

Last updated: 1 July 2025
Bluetooth headphones
Image by Cybernews.

Hackers in Bluetooth range can spy on millions of headphone users. Major flaws have been discovered in popular models from Sony, Bose, Marshall, Jabra, JBL, Beyerdynamic, and other devices using Airoha Systems chips.

The German cybersecurity firm ERNW unveiled major security flaws affecting dozens of the most recognized headphone models, including some of the best noise-canceling headphones on the market.

“In most cases, these vulnerabilities allow attackers to fully take over the headphones via Bluetooth. No authentication or pairing is required,” the researchers warn.

ADVERTISEMENT

“Being in Bluetooth range is the only precondition.”

Hackers can abuse the vulnerabilities to spy on users, exploit the trust relationship between two paired Bluetooth devices, and impersonate the device to send malicious commands to a mobile phone, such as initiating and receiving calls. Attackers can also extract phone numbers and contacts, and even rewrite firmware to gain code execution.

“We have shown that it is possible to simply … listen to what their microphone is currently recording,” researchers said.

Users could notice this action by a dropped Bluetooth connection, as headphones can typically handle only one connection.

exploit-example
Image by insinuator.net.

All unpatched devices that incorporate Airoha Systems on a Chip (SoCs) are vulnerable. Airoha is a major supplier of SoCs in the Bluetooth audio space, especially in the area of True Wireless Stereo earbuds.

The Bluetooth chips expose a powerful custom protocol that allows manipulating the device by reading and writing RAM or reading and writing to the flash. Missing authentication allows attackers to use the protocol without pairing with the device.

As most of the devices are still unpatched, researchers did not disclose too many details, their proof-of-concept code, or even the name of the exposed protocol.

ADVERTISEMENT

“The SoCs are used in devices such as headsets, earbuds, dongles, speakers, and wireless microphones. However, it is infeasible for us to comprehensively survey and identify all affected products,” the report reads.

Some of the affected devices include:

  • Sony: WH-1000XM4, WH-1000XM5, WH-1000XM6, WH-CH520, WH-XB910N, WI-C100, WF-1000XM3, WF-1000XM4, WF-1000XM5, CH-720N, Link Buds S, ULT Wear, WF-C500, WF-C510-GFP.
  • Marshall: ACTON III, MAJOR V, MINOR IV, MOTIF II, STANMORE III, WOBURN III
  • Bose: QuietComfort Earbuds
  • Beyerdynamic: Amiron 300
  • EarisMax: Bluetooth Auracast Sender
  • Jabra: Elite 8 Active
  • JBL: Endurance Race 2, Live Buds 3
  • Jlab: Epic Air Sport ANC
  • MoerLabs: EchoBeatz
  • Teufel: Tatws2

“The same Bluetooth SoC is used in dozens or hundreds of different products, often under different brand names.”

Some vendors do not disclose which SoC they use, making it difficult to identify all vulnerable devices.

The major flaw, dubbed “Critical Capabilities of a Custom Protocol,” was assigned a CVE-2025-20702 identifier. The other two flaws, CVE-2025-20700 and CVE-2025-20701, mark Missing Authentication in Bluetooth protocols.

The researchers will release detailed information on them later.

Users have to expect vendors to patch the devices

There is little headphone users can do to protect themselves from attackers' eavesdropping or controlling their Bluetooth devices.

“End-users need to patch their headphone firmware. However, before that, a patch needs to be available,” the researchers at ERNW said.

ADVERTISEMENT

While Aidoha fixed the vulnerabilities and supplied the new SDK version to vendors in the first week of June, it's unclear how quickly different device manufacturers will distribute firmware updates, and some products may never receive a patch.

Paulina Okunyte justinasv Stefanie James Caunt
Don’t miss our latest stories on Google News.
Google News Follow us

“As of now, we are not aware of any fixed firmware release,” researchers warn.

“Even when patches exist, not all device manufacturers push updates, especially for lower-cost or end-of-life products.”

Fortunately, real-world attacks have a steep bar to meet: attackers must be very close to the user, usually within around 10 meters, as Bluetooth only works at short distances. A high technical skill set is required for the attack to be unnoticed.

These kinds of attacks are most likely to target high-value individuals, such as journalists, diplomats, political activists, people in sensitive industries, and other VIPs. These users are advised to remove the pairing between their headphones and their mobile devices, until patches are available.

Share
Post
Share
Share
Share
More from Cybernews
Most cyber incidents stem from the same 10% of employees, study finds
Popular fitness app Fitify exposes 138K user progress photos
California mulls banning AI companions like Grok's "waifu"
WeTransfer changes its terms again after being suspected of fishy use of content
Former US soldier pleads guilty to hacking telecom companies
“I know what normal looks like:” Microsoft trains AI to scan breasts
ADVERTISEMENT
Leave a Reply

Your email address will not be published. Required fields are markedmarked