Eavesdropping in the Air: Critical Flaws Found in Xiaomi Redmi Buds

Critical vulnerabilities have been unearthed within Xiaomi’s Redmi Buds wireless earphone lineage, potentially facilitating the exfiltration of telephonic metadata and the systemic destabilization of the hardware. The flaw encompasses a spectrum of models spanning from the Redmi Buds 3 Pro to the Redmi Buds 6 Pro, permitting adversaries to compromise the devices without the prerequisite of prior pairing or formal authentication.

According to empirical data provided by researchers from Carnegie Mellon University, these insecurities originate from a flawed implementation of the RFCOMM protocol within the firmware. While the devices ostensibly operate via standard Bluetooth profiles such as Hands-Free, A2DP, and AVRCP, they also harbor clandestine L2CAP and RFCOMM channels—remnants of legacy support or auxiliary functions.

The inaugural defect, designated as CVE-2025-13834, permits unauthorized access to the device’s volatile memory. A failure in the processing of the RFCOMM “TEST” command causes the hardware to relinquish up to 127 bytes of uninitialized data upon receiving a specific request configuration. These fragments may harbor the sensitive telephone numbers of interlocutors during active transmissions, a vulnerability evocative of the infamous Heartbleed exploit that once plagued server-side infrastructures.

The second vulnerability, CVE-2025-13328, concerns the potential for a Denial of Service (DoS) incursion. By inundating the device with “TEST” commands or manipulating “Modem Status” signals within the Hands-Free and service channels, an antagonist can overwhelm the processing queue, inducing a total system collapse. This results in the immediate severance of all paired connections, requiring the user to physically reseat the earphones within their charging case to restore functionality.

Exploiting these flaws necessitates only proximity within the standard Bluetooth radius—approximately 20 meters—and knowledge of the target’s MAC address, which is trivial to acquire via conventional scanning apparatus. The process requires neither elevated privileges nor any affirmative action from the rightful owner.

At this juncture, Xiaomi has refrained from issuing an official communiqué or a remedial firmware update. Consequently, it is advised to deactivate Bluetooth in public environments when the devices are not in active use. This discovery, documented by Chung-in Lee, Jiwoong Ryu, and Heejo Lee, has been formally submitted to the CERT Coordination Center, serving as a poignant testament to the inherent fragilities of consumer IoT devices when communication protocols are inadequately fortified at the firmware level.