About six months ago we released a security advisory on this blog about vulnerabilities in Airoha-based Bluetooth headphones and earbuds. Back then, we didn’t release all technical details to give vendors more time to release updates and users time to patch their devices. Around the time of the initial partial disclosure in the beginning of June, Airoha put out an SDK release for their customers that mitigates the vulnerabilities. Now, half a year later, we finally want to publish the technical details and release a tool for researchers and users to continue researching and check whether their devices are vulnerable.

This blog post is about CVE-2025-20700, CVE-2025-20701, and CVE-2025-20702.


Your headphones just became a backdoor to your phone. No pairing. No popup. Just Bluetooth range. 70 million chips. Sony. Bose. Marshall. JBL. A debug protocol active on production devices. Attackers can dump your Bluetooth keys, impersonate your headphones, and hijack your phone.
Three CVEs. Zero authentication required. Full technical disclosure: December 27, 2025 at 39C3.
The vulnerabilities
→ CVE-2025-20700: No authentication on Bluetooth Low Energy
→ CVE-2025-20701: No authentication on Bluetooth Classic
→ CVE-2025-20702: Debug protocol exposed that should never be accessible
RACE is Airoha's factory protocol. Meant for testing and firmware updates during production. It exposes read/write access to RAM and flash memory over three channels: USB HID, Bluetooth Classic RFCOMM (channel 21), and BLE GATT services.
The protocol was never disabled before shipping.

An attacker within 10 meters connects via BLE or Bluetooth Classic. No user interaction. The connection is silent.
Once connected, RACE commands dump the flash. Inside: the Bluetooth Link Key. This 128-bit key is what your phone uses to verify your headphones are trusted.
With the Link Key, the attacker clones your headphones' Bluetooth identity. Your phone sees "Sony WH-1000XM5" connecting. It trusts it automatically. No pairing popup.
→ Get your phone number using HFP commands
→ Access contacts and call history
→ Trigger Siri or Google Assistant
→ Accept incoming calls silently
→ Make outgoing calls to premium numbers
→ Activate your phone's microphone and listen
At 39C3 the researchers demonstrated WhatsApp and Amazon account takeover. Live.

Confirmed vulnerable:
Sony WH-1000XM4, WH-1000XM5, WH-1000XM6, WF-1000XM5, LinkBuds S
Bose QuietComfort Earbuds
Marshall Major V, Minor IV, Acton III, Stanmore III
JBL Live Buds 3, Endurance Race 2
Jabra Elite 8 Active (patched)
Beyerdynamic Amiron 300
Teufel Tatws2
JLab Epic Air Sport ANC
Not the complete list. Airoha chips are in hundreds of products. Some manufacturers do not even know they use Airoha because they outsourced the Bluetooth module.

NOT vulnerable: Apple AirPods.

→ Airoha released a fix to manufacturers June 4, 2025. Six months later, most devices still run vulnerable firmware.
→ Jabra acknowledged the CVEs. Marshall quietly patched. Sony did not respond until they heard about the public disclosure.
Firmware updates come through manufacturer apps. Most users never open these apps after setup. Patches exist but are not reaching devices.
→ Update firmware through your manufacturer's app
→ Remove old Bluetooth pairings from your phone
→ Disable Bluetooth when not in use
→ High-value targets: use wired headphones

more in depth information:
https://insinuator.net/2025/12/blue...ll-disclosure-of-airoha-race-vulnerabilities/

 

Interesting, i was given the Sony WH-1000XM4 as a gift, but havent really been using them. Thanks for the heads up

edit: seems ive already patched it

 

Last edited: Jan 5, 2026 at 8:11 AM

nothing new , bluetooth was can be hacked from long time ago

 

anything wireless can be hacked by real pro hackers. do you use masking software to hide your face on videos., AI can see through it so easily, there is no privacy or anonymity. So much unbelievable tech, the need for privacy is needed more than ever. Want to become a billionaire find a way to defeat and circumvent all this invasive tech.

 

wifi hacking is pretty easy you dont need to be a pro... kali linux has an assortment of wifi tools you can try, on your own network (for educational purposes only)

 

Props to Xiaomi and Motorola for still releasing phones with physical connectors.