Critical Bluetooth Vulnerabilities in Airoha Chipsets Expose Millions of Audio Devices

CyberSecureFox 🦊

Cybersecurity researchers from ERNW have uncovered significant security vulnerabilities in Airoha Bluetooth chipsets, widely deployed across popular wireless audio devices. These critical Bluetooth vulnerabilities affect millions of users worldwide, compromising the security of True Wireless Stereo (TWS) earbuds, speakers, and headsets from major manufacturers.

Widespread Impact Across Leading Audio Brands

The security flaws reside in Airoha’s System-on-Chip (SoC) solutions, which power a vast ecosystem of consumer audio products. Security analysts have identified 29 vulnerable device models from prominent brands including Beyerdynamic, Bose, Sony, Marshall, Jabra, JBL, Jlab, EarisMax, MoerLabs, and Teufel.

The affected product range spans wireless earbuds, portable speakers, professional headsets, and microphone systems. This extensive deployment means millions of users globally face potential data compromise through their everyday audio devices.

Technical Analysis of Security Vulnerabilities

Security researchers have documented three distinct vulnerabilities, each assigned individual CVE identifiers. While not classified as critical severity, these firmware exploits enable attackers to achieve complete device compromise under specific conditions.

The primary attack limitation requires physical proximity within Bluetooth range of target devices. However, once this condition is met, malicious actors can establish full control over compromised audio equipment, opening multiple attack vectors.

Proof-of-Concept Demonstration

At the TROOPERS security conference, researchers demonstrated a functional proof-of-concept exploit capable of intercepting real-time media content from vulnerable headphones. This represents the least harmful exploitation scenario among possible attack methods.

Advanced Attack Scenarios and Security Implications

More sophisticated exploitation techniques involve hijacking Bluetooth connections between smartphones and audio devices. Attackers can leverage the Bluetooth Hands-Free Profile (HFP) to transmit commands directly to victims’ mobile devices.

Available command functionality varies by operating system, but all major mobile platforms support basic telephony operations. Researchers successfully demonstrated unauthorized call initiation to arbitrary phone numbers after extracting Bluetooth pairing keys from compromised device memory.

Data Exfiltration and Privacy Breaches

Depending on mobile device security configurations, attackers may access call history and contact information. Additionally, initiated calls enable eavesdropping on conversations and ambient audio within the device’s microphone sensitivity range.

The most severe threat involves firmware overwriting capabilities that enable remote arbitrary code execution. This functionality creates pathways for self-propagating exploits that can infect other compatible devices through worm-like behavior patterns.

Vendor Response and Patch Deployment

Airoha responded promptly to vulnerability disclosures by releasing an updated SDK containing fixes for all three security flaws. Affected device manufacturers have initiated security patch development and distribution processes.

However, patch deployment analysis reveals concerning delays. According to German publication Heise, firmware updates for half of the vulnerable devices carry timestamps of May 27, 2025, or earlier, while Airoha’s corrected SDK was released on June 4, 2025.

Users should prioritize regular firmware update checks for their Bluetooth audio devices and install patches immediately upon availability. Exercise caution when using wireless audio equipment in public spaces and avoid connections to unknown or suspicious sources. These preventive measures significantly reduce successful exploitation risks for the documented vulnerabilities.

Leave a Comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.