Glad this submission is finally receiving upvotes.
This was just shown at the 39C3 in Hamburg, few days back.
Common (unpached) Bluetooth headsets using Airoha's SoCs can be completely taken over by any unauthenticated bystander with a Linux laptop. (CVE-2025-20700, CVE-2025-20701, CVE-2025-20702)
This includes firmware dumps, user preferences, Bluetooth Classic session keys, current playing track, ...
> Examples of affected vendors and devices are Sony (e.g., WH1000-XM5, WH1000-XM6, WF-1000XM5), Marshall (e.g. Major V, Minor IV), Beyerdynamic (e.g. AMIRON 300), or Jabra (e.g. Elite 8 Active).
Most vendors gave the security researchers either silent treatment or were slow, even after Airoha published fixes. Jabra was one of the positive outlier, Sony unfortunately negatively.
What is exciting, even though the flaws are awful, that it is unlikely for current generation of those Airoha bluetooth headsets to change away from Aiorha's Bluetooth LE "RACE" protocol. This means there is great opportunity for Linux users to control their Bluetooth headsets, which for example is quite nice in an office setting to toggle "hearthrough" when toggling volume "mute" on your machine.
I feel like this should receive state-level attention, the remote audio surveillance of any headset can be a major threat. I wonder what the policies in countries official buildings are when it comes to Bluetooth audio devices, considering that Jabra is a major brand for conference speakers, I'd assume some actual espionage threats.
> Most vendors gave the security researchers either silent treatment or were slow, even after Airoha published fixes. Jabra was one of the positive outlier, Sony unfortunately negatively.
While I don't recall Sony issuing an advisory, I believe the users of their app would have started getting update notifications since they (quietly) released firmware updates.
> This means there is great opportunity for Linux users to control their Bluetooth headsets, which for example is quite nice in an office setting to toggle "hearthrough" when toggling volume "mute" on your machine.
I think most vendors are using custom services with their own UUIDs for settings such as this.
Regardless, I believe there are open client implementations for some of the more popular devices. Gadgetbridge comes to mind in regards to Android, not sure about any Linux equivalent.
They also demonstrated how this could be used to silently find out someone’s phone number and then hijack a TFA validation call from an app like WhatsApp to take over their account with no user interaction.
the session (or pairing key) means you can both connect to the headphone or impersonate it.
It can toggle the hands-free mode and listen to whatever is being talked, you'd notice that it has switched to the mode though - but if you're headphones are powered on and you're not listening to in they can be used for eavesdropping.
During the talk they both demonstrate listening to the microphone and also receiving a WhatsApp 2FA call.
Is this an unintentional vulnerability or is it one of those "we left it open because it's easier and we hoped nobody would notice" kind of things. I mean can you just send a "update to this firmware" command completely unauthenticated and it's like "yep sure"? No signing or anything?
Remote audio surveillance probably be accomplished on wired headphones with TEMPEST [0]/Van Eck phreaking [1]. Not sure about which has a better range and which would be stealthier - TEMPEST or the Bluetooth attack. The Bluetooth attack just requires a laptop. Not sure if the TEMPEST attack would require a big antenna.
> We also demonstrate how a compromised Bluetooth peripheral can be abused to attack paired devices, like smartphones, due to their trust relationship with the peripheral.
Can't watch the video now. But I wonder to what extent they can take over a smartphone? Can they make a headphone look like a keyboard/mouse, for example?
And everyone got mad at OpenBSD for refusing to develop bluetooth.
It’s a messy standard and we shouldn’t be surprised that the race to the bottom has left some major gaps.. though Sony WH1000’s are premium tier hardware and they have no real excuses..
I always wondered how people could justify the growth of the bluetooth headphone market in such a way.. Everyone seems to use bluetooth headphones exclusively (in Sweden at least), I’m guilty of buying into it too (I own both Airpods Pro’s and the affected Sony WH1000-XM5) but part of me has always known that bluetooth is just hacks on hacks… I allowed myself to be persuaded due to popularity. Scary.
I was also trying to debug bluetooth “glitching audio” issues and tried to figure out signal strength as the first troubleshooting step: I discovered that people don’t even expose signal strength anymore… the introspection into what’s happening extends literally nowhere, including not showing signal strength… truly, the whole thing is cursed and I’m shocked it works for the masses the way it does.. can you imagine not displaying wifi signal strength?
This is not a Bluetooth issue. The chip manufacturer Airoha just felt it acceptable to ship a wireless debug interface that allows reading the SoC memory with no authentication whatsoever, enabled in retail customer builds. They are just not a serious company (which is why their security email didn't work, either).
You can't read English like if it was a declarative logical language. It is obviously an hyperbole to say "everyone". It means "a lot of people". So why they didn't say "a lot of people"? Language uses hyperboles to make a point stronger.
Sometimes plugging a cord is a minor inconvenience.
But sometimes it's a large inconvenience
Example: if I'm using my laptop for work but at a slightly longer distance (think, using external monitor/keyboard) then it gets annoying (cord has to hang from the connection, or it gets between you and the keyboard, etc)
I don't have time right now to watch the video and will be coming back to do so later, but here's a couple of snippets from the text on that page that made me want to bother watching (either they're overhyping it, or it sounds interesting and significant)
> The identified vulnerabilities may allow a complete device compromise. We demonstrate the immediate impact using a pair of current-generation headphones. We also demonstrate how a compromised Bluetooth peripheral can be abused to attack paired devices, like smartphones, due to their trust relationship with the peripheral.
> This presentation will give an overview over the vulnerabilities and a demonstration and discussion of their impact. We also generalize these findings and discuss the impact of compromised Bluetooth peripherals in general. At the end, we briefly discuss the difficulties in the disclosure and patching process. Along with the talk, we will release tooling for users to check whether their devices are affected and for other researchers to continue looking into Airoha-based devices.
[...]
> It is important that headphone users are aware of the issues. In our opinion, some of the device manufacturers have done a bad job of informing their users about the potential threats and the available security updates. We also want to provide the technical details to understand the issues and enable other researchers to continue working with the platform. With the protocol it is possible to read and write firmware. This opens up the possibility to patch and potentially customize the firmware.
The most frustrating part is when Apple dropped the jack we laughed at the "courage" bit, Apple's given reasons where already seen as bullshit, Samsung had their finger pointing moment.
And it just went on, Apple weathered the critics, the other makers also dropped it, and at some point there was just nowhere to go for anyone still wanted a 3.5 jack with a decent phone.
I agree the loss of the 3.5mm jack is a short-sighted and poor decision. There is at least one mitigation, which is the ability to recover the jack through a USB-C DAC. Apple sells them for USD10. I have several, in the car and in my backpack.
It's not a good solution though. In particular I find the USB-C port gets worn out pretty quickly. Its also easy to lose the dongle and of course it's more complicated to setup. (I'm not sure how to articulate the "it's more complicated" part. I think adding the dongle pulls the action of "plug in headphones" from something you can do without attention to something that requires attention, and I don't think that.)
The official reason was, famously and ridiculously, "courage". Apple further explained that space is at a premium, listed the many things competing for that space, and noted that a large, single-purpose legacy connector no longer made sense.
A lot of Apple's strategic choices are driven by products that take 5, 10, or sometimes 20 years to realize. For example, the forthcoming foldable iPhone (and the proving ground for many related decisions, the iPhone Air) was on roadmaps literally a decade before a decision like this reverberates through released products.
Putting a high-quality DAC in a dongle wasn't a terrible solution (many phones with analog jacks have poor ones), and today hundreds of headphones¹ courageously have native USB-C support.
Regardless, the point of mentioning it is that Apple commonly makes decisions that can seem bizarre to people who don't consider systemic and longer-term reasons why they might've been made. Another micro-example of this that comes to mind is Tahoe's mostly-reviled chonky window borders, which along with many other gradual UX changes over years, absolutely foreshadow touchscreen Macbooks.
They've also been late sometimes and had to change by force their assumptions, the first app store in iOS was cydia and a lot of what we consider modern iOS design was copied over from the jailbreaking community.
Haven't watched the video yet, but I think this capability was leaked by VP Kamala Harris during her recent interview with the Late Night Show [0]. She stated she doesn't use wireless headphones because she's been in security meetings and knows they're not safe.
You also don't need to be in classified meetings to understand that Bluetooth/ BLE (and specifically the way most vendors implement the spec) is not as secure as other more battle-tested technologies
I think many people would be justified in making the argument that bluetooth has existed for at least 20 years and thus is the established battle tested protocol.
Yeah, but Bluetooth spec changed a lot over the years (3000+ pages) and the certification price is rather expensive.
There's an interesting article from Wired [1] about this, although some interesting comments from the engineers working on BT stacks are far more interesting. It seems like most of the manufacturers do not create spec-compliant devices, and that the tests from the certification are just poor.
I'd love to hear more from an expert on the topic, but this looks to be the consensus.
I think people are generally aware of how low quality the Bluetooth protocol suite is though so maybe they'd guess that extends to security too.
I definitely remember lots of folk security advice to keep bluetooth off on your phone back when smartphones were new (nobody does that now though, and Android auto-enables it these days).
What she says isn't necessary untrue, now is it? She just skips a lot of steps most people have no clue about.
I had files in a cabinet, now they are digital. And most often also on a cloud drive, which is metaphysical in some sense. For most it is indistinguishable from magic.
There hasn't been a POTUS or VPOTUS with a technical background in the last 45 years (Jimmy Carter was a nuclear engineer). So obviously none of them would be authoritative on such topics.
However the individual in question is not delusional or conspiratorial, and we know for sure that they are receiving advice or restrictions from extremely well-informed sources, so there's every reason to believe they are (lo-fi) repeating that.
This is just a chip with debug mode left on and does not allow anyone to hijack audio stream or anything interesting. (Just in case anyone’s checking the comments because they don’t want to watch a long ass video and they notice all the comments are essentially off topic)
Ah yes, the removal of headphone jacks, the gift that keeps on giving
Funny that there were always some people here pushing bt audio as "the future", whom I can only assume were the technically shallow but very opinionated people that would die on the smallest technical hills
I'd assume that most people wouldn't want to get back to wired headphones.
Transition period was definitely rough, but nowadays bluetooth headphones are substantially better than they were in the past, and it's quite freeing to not have to deal with wires.
There are definitely benefits to wired headphones, such as better audio quality and no battery life to worry about, but for those cases there are USB-C DACs.
Brand new devices' batteries are awesome but wear off and need to be changed at some point, if A) the device is designed to let you do that and B) the battery is still in production.
You don't really own a wireless headphone. You can see it as a rent, or an ownership that loose its capability when in use.
A couple days ago there was a bit of a conversation about this, you might find it interesting. It seems this feeling (to the point of calling it an "epidemic"!) might be caused by the known bias of thinking that earlier times were better:
LOL.
People not using headphones in public are narcissistic a-holes, but they’ve been doing it since *long* before headphone jacks went missing from smartphones.
Most audiophiles ignore bluetooth headphones due to sound quality + latency, so we (audiophiles) stick to wired at home and we also have dedicated headphone amps since the pissy sound card D/A convertors are incredibly bad. Bluetooth only when I’m doing yard work. Sadly, modern music is tuned to crappy headphones, crappy car systems, crappy speakers … I miss the 80’s audiophile obsession, the equipment had heart, and mixing and mastering was generations ahead of current (mainstream) music production.
This conversation will go in a very predictable direction, but
- Apple has a lossless coded for wireless, ALAC that can do up to 24bit/192khz
- aptX can do 44/16 in other devices, Sony has LDAC at 24/96 too
- latency under <100ms is meaningless for pure audio listening
We have amazing technology available today, at prices and quality unimaginable in the 80s. A $10 in-ear from a chinese hi-fi brand can give you an audio experience you couldn’t buy for thousands of dollars a decade ago.
I'm really enjoying my Focal Bathys Bluetooth headphones! Sure, wired options will always be better, but when I want convenience, I've been really impressed with these!
A friend worked in an audiophile shop during his physics master and he'd swear the customer base was the most gullible bunch he ever saw... And mostly unswayable by rational arguments.
This was just shown at the 39C3 in Hamburg, few days back.
Common (unpached) Bluetooth headsets using Airoha's SoCs can be completely taken over by any unauthenticated bystander with a Linux laptop. (CVE-2025-20700, CVE-2025-20701, CVE-2025-20702)
This includes firmware dumps, user preferences, Bluetooth Classic session keys, current playing track, ...
> Examples of affected vendors and devices are Sony (e.g., WH1000-XM5, WH1000-XM6, WF-1000XM5), Marshall (e.g. Major V, Minor IV), Beyerdynamic (e.g. AMIRON 300), or Jabra (e.g. Elite 8 Active).
Most vendors gave the security researchers either silent treatment or were slow, even after Airoha published fixes. Jabra was one of the positive outlier, Sony unfortunately negatively.
What is exciting, even though the flaws are awful, that it is unlikely for current generation of those Airoha bluetooth headsets to change away from Aiorha's Bluetooth LE "RACE" protocol. This means there is great opportunity for Linux users to control their Bluetooth headsets, which for example is quite nice in an office setting to toggle "hearthrough" when toggling volume "mute" on your machine.
RACE Reverse Engineered - CLI Tool: https://github.com/auracast-research/race-toolkit
I feel like this should receive state-level attention, the remote audio surveillance of any headset can be a major threat. I wonder what the policies in countries official buildings are when it comes to Bluetooth audio devices, considering that Jabra is a major brand for conference speakers, I'd assume some actual espionage threats.
While I don't recall Sony issuing an advisory, I believe the users of their app would have started getting update notifications since they (quietly) released firmware updates.
> This means there is great opportunity for Linux users to control their Bluetooth headsets, which for example is quite nice in an office setting to toggle "hearthrough" when toggling volume "mute" on your machine.
I think most vendors are using custom services with their own UUIDs for settings such as this.
Regardless, I believe there are open client implementations for some of the more popular devices. Gadgetbridge comes to mind in regards to Android, not sure about any Linux equivalent.
That doesn't sound very serious if they're exposed, is it? Can it be used to eavesdrop my conversation if I'm speaking through the headphone
It can toggle the hands-free mode and listen to whatever is being talked, you'd notice that it has switched to the mode though - but if you're headphones are powered on and you're not listening to in they can be used for eavesdropping.
During the talk they both demonstrate listening to the microphone and also receiving a WhatsApp 2FA call.
Speaking for myself, I have very little patience for technical videos, so I don't believe I've ever upvoted a YouTube submission.
One second thought I think this is called a transcript...
---
Edit: Auto-Transcript! (No timestamps, sorry)
https://jsbin.com/jiqihuveci/edit?html,output
[0] https://en.wikipedia.org/wiki/Tempest_(codename)
[1] https://en.wikipedia.org/wiki/Van_Eck_phreaking
Can't watch the video now. But I wonder to what extent they can take over a smartphone? Can they make a headphone look like a keyboard/mouse, for example?
It’s a messy standard and we shouldn’t be surprised that the race to the bottom has left some major gaps.. though Sony WH1000’s are premium tier hardware and they have no real excuses..
I always wondered how people could justify the growth of the bluetooth headphone market in such a way.. Everyone seems to use bluetooth headphones exclusively (in Sweden at least), I’m guilty of buying into it too (I own both Airpods Pro’s and the affected Sony WH1000-XM5) but part of me has always known that bluetooth is just hacks on hacks… I allowed myself to be persuaded due to popularity. Scary.
I was also trying to debug bluetooth “glitching audio” issues and tried to figure out signal strength as the first troubleshooting step: I discovered that people don’t even expose signal strength anymore… the introspection into what’s happening extends literally nowhere, including not showing signal strength… truly, the whole thing is cursed and I’m shocked it works for the masses the way it does.. can you imagine not displaying wifi signal strength?
Alright, so when is OpenBSD patching out USB support? Such a giant exploit vector.
So who is everyone, in your meaning?
https://news.ycombinator.com/item?id=25950845
https://news.ycombinator.com/item?id=45798439
https://news.ycombinator.com/item?id=34667522
https://news.ycombinator.com/item?id=43144607
But sometimes it's a large inconvenience
Example: if I'm using my laptop for work but at a slightly longer distance (think, using external monitor/keyboard) then it gets annoying (cord has to hang from the connection, or it gets between you and the keyboard, etc)
https://news.ycombinator.com/item?id=46406310
> The identified vulnerabilities may allow a complete device compromise. We demonstrate the immediate impact using a pair of current-generation headphones. We also demonstrate how a compromised Bluetooth peripheral can be abused to attack paired devices, like smartphones, due to their trust relationship with the peripheral.
> This presentation will give an overview over the vulnerabilities and a demonstration and discussion of their impact. We also generalize these findings and discuss the impact of compromised Bluetooth peripherals in general. At the end, we briefly discuss the difficulties in the disclosure and patching process. Along with the talk, we will release tooling for users to check whether their devices are affected and for other researchers to continue looking into Airoha-based devices.
[...]
> It is important that headphone users are aware of the issues. In our opinion, some of the device manufacturers have done a bad job of informing their users about the potential threats and the available security updates. We also want to provide the technical details to understand the issues and enable other researchers to continue working with the platform. With the protocol it is possible to read and write firmware. This opens up the possibility to patch and potentially customize the firmware.
And it just went on, Apple weathered the critics, the other makers also dropped it, and at some point there was just nowhere to go for anyone still wanted a 3.5 jack with a decent phone.
It's not a good solution though. In particular I find the USB-C port gets worn out pretty quickly. Its also easy to lose the dongle and of course it's more complicated to setup. (I'm not sure how to articulate the "it's more complicated" part. I think adding the dongle pulls the action of "plug in headphones" from something you can do without attention to something that requires attention, and I don't think that.)
A lot of Apple's strategic choices are driven by products that take 5, 10, or sometimes 20 years to realize. For example, the forthcoming foldable iPhone (and the proving ground for many related decisions, the iPhone Air) was on roadmaps literally a decade before a decision like this reverberates through released products.
Putting a high-quality DAC in a dongle wasn't a terrible solution (many phones with analog jacks have poor ones), and today hundreds of headphones¹ courageously have native USB-C support.
¹ https://www.bhphotovideo.com/c/products/usb-c-headphones/ci/...
“PC guys are not going to just figure this out. They’re not going to just walk in.” — Palm CEO Ed Colligan, 2006, https://www.engadget.com/2006-11-21-palms-ed-colligan-laughs...
“A wizard is never late, nor is he early, he arrives precisely when he means to.” — Gandalf the Gray
:)
[0] https://youtu.be/BD8Nf09z_38 (Timestamp 18:40)
Out of all the people I would trust on the matter, Kamala Harris doesn't certainly end up at the top of my list, for reasons such as this one: https://youtu.be/O2SLyBL2kdM?si=Zq-EN8zxj4Y_UCwI
You also don't need to be in classified meetings to understand that Bluetooth/ BLE (and specifically the way most vendors implement the spec) is not as secure as other more battle-tested technologies
There's an interesting article from Wired [1] about this, although some interesting comments from the engineers working on BT stacks are far more interesting. It seems like most of the manufacturers do not create spec-compliant devices, and that the tests from the certification are just poor.
I'd love to hear more from an expert on the topic, but this looks to be the consensus.
[1]: https://archive.ph/6201V
I definitely remember lots of folk security advice to keep bluetooth off on your phone back when smartphones were new (nobody does that now though, and Android auto-enables it these days).
I had files in a cabinet, now they are digital. And most often also on a cloud drive, which is metaphysical in some sense. For most it is indistinguishable from magic.
There hasn't been a POTUS or VPOTUS with a technical background in the last 45 years (Jimmy Carter was a nuclear engineer). So obviously none of them would be authoritative on such topics.
However the individual in question is not delusional or conspiratorial, and we know for sure that they are receiving advice or restrictions from extremely well-informed sources, so there's every reason to believe they are (lo-fi) repeating that.
Now I need to setup to check if my headphones are still vulnerable...
Funny that there were always some people here pushing bt audio as "the future", whom I can only assume were the technically shallow but very opinionated people that would die on the smallest technical hills
Transition period was definitely rough, but nowadays bluetooth headphones are substantially better than they were in the past, and it's quite freeing to not have to deal with wires.
There are definitely benefits to wired headphones, such as better audio quality and no battery life to worry about, but for those cases there are USB-C DACs.
You don't really own a wireless headphone. You can see it as a rent, or an ownership that loose its capability when in use.
I switched to USB-C soundcard cables which are dirt cheap and survive much much more plug-unplug-cycles. They easily can be replaced.
https://news.ycombinator.com/item?id=46424228
- Apple has a lossless coded for wireless, ALAC that can do up to 24bit/192khz
- aptX can do 44/16 in other devices, Sony has LDAC at 24/96 too
- latency under <100ms is meaningless for pure audio listening
We have amazing technology available today, at prices and quality unimaginable in the 80s. A $10 in-ear from a chinese hi-fi brand can give you an audio experience you couldn’t buy for thousands of dollars a decade ago.
Audiophiles tend to have firm stances on what is acceptable or not, I find.
In any case someone ought to shear the sheep....