The Audio Backdoor: How Your Premium Headphones Could Hack Your Phone
Vulnerabilities discovered in wireless headphones powered by Airoha chips have opened the door to remote compromise of the smartphones they are connected to. The flaws identified by security researchers affect a wide range of popular models from brands such as Sony, Bose, Marshall, Jabra, and others. Notably, the potential attacks require no prior pairing and can be carried out without any user interaction.
The root cause lies in the lack of proper authentication and the presence of debugging functionality within Airoha’s proprietary RACE protocol, which is used for device configuration and firmware updates. The issues have been assigned CVE identifiers CVE-2025-20700, CVE-2025-20701, and CVE-2025-20702. The first allows unauthenticated connections over Bluetooth Low Energy, while the second enables the same over Bluetooth Classic. Once connected, attackers gain access to the RACE protocol, through which they can freely read from and write to the device’s memory.
In practical terms, this makes it possible to extract the cryptographic key used for the Bluetooth connection between the headphones and the smartphone. Armed with this key, an attacker can impersonate a trusted device and obtain elevated privileges on the victim’s phone. Researchers from Insinuator demonstrated that such access enables viewing contact lists and call history, invoking the voice assistant, sending messages, placing calls, and retrieving location data—provided the smartphone is unlocked.
Particularly concerning are scenarios in which an attacker can intercept incoming calls or silently initiate calls to controlled numbers, including covertly listening to conversations. The activation of Hands-Free Profile features may also grant access to additional information stored on the phone.
The study confirmed that at least 30 models are definitively vulnerable, including the Sony WF-1000XM5, Marshall ACTON III, JBL Live Buds 3, and Beyerdynamic Amiron 300. However, the true number of affected devices may be significantly higher. While some manufacturers, such as Jabra, have already implemented additional safeguards and addressed the issues, others—including Sony and Bose—have yet to issue official responses.
Airoha released updates to remediate the vulnerabilities as early as June 2025, but many manufacturers have still not integrated these fixes into their firmware. Headphone owners are strongly advised to install all available updates immediately and to remove previously paired devices from their smartphones.
The researchers also released a dedicated RACE Toolkit along with supporting documentation, enabling users to independently assess whether their devices are vulnerable. As an additional precaution, individuals at heightened risk—including journalists and diplomats—are advised to temporarily switch to wired audio devices.
Experts emphasize that manufacturers must not only integrate Airoha’s SDK updates in a timely manner, but also conduct regular internal security audits before releasing new products. The disclosure of these vulnerabilities followed responsible disclosure practices, with full technical details published six months after vendors were first notified.
Support Our Threat Intelligence
If you find our technology report and cybersecurity news helpful, consider supporting our work.
Buy Me a Coffee
PayPal
