Flaws in Airoha Bluetooth Chips Expose Headphones from Sony, Bose to Hijacking

Critical Vulnerabilities in Airoha Bluetooth Chips Allow Eavesdropping and Hijacking of Major Headphone Brands

HIGH
January 5, 2026
6m read
VulnerabilityIoT SecurityMobile Security

Related Entities

Organizations

AirohaSony BoseJBL MarshallJabraERNW

Products & Tech

RACE (Remote Access Control Engine)

CVE Identifiers

CVE-2025-20700
HIGH
CVSS:8.8
CVEDetails.com CVE.org
CVE-2025-20701
HIGH
CVSS:8.8
CVEDetails.com CVE.org
CVE-2025-20702
CRITICAL
CVSS:9.6
CVEDetails.com CVE.org

MITRE ATT&CK Techniques

T1556.004Credential Access

Bluetooth

T1040Collection

Network Sniffing

T1059Execution

Command and Scripting Interpreter

Full Report

Executive Summary

Security researchers have uncovered a series of critical vulnerabilities in Bluetooth System-on-Chips (SoCs) manufactured by Airoha, a subsidiary of MediaTek and a key supplier for the consumer electronics market. The flaws affect a wide range of popular True Wireless Stereo (TWS) headphones and earbuds from brands like Sony, Bose, JBL, and Marshall. The most severe of these, CVE-2025-20702 (CVSS 9.6), allows an unauthenticated attacker within Bluetooth range to remotely execute code, potentially leading to device hijacking, eavesdropping via the microphone, and theft of cryptographic keys. The vulnerabilities stem from an insecure, undocumented custom protocol. While the flaws were responsibly disclosed, the broad and often opaque supply chain for these chips means many devices may remain vulnerable.

Vulnerability Details

The vulnerabilities were discovered by researchers at ERNW and are collectively referred to as affecting the RACE (Remote Access Control Engine) protocol, a custom Airoha protocol used for diagnostics and firmware updates. The core issues are:

  • No Authentication: The RACE protocol is exposed over both Bluetooth Classic and Bluetooth Low Energy (BLE) and requires no authentication or pairing to interact with. An attacker can simply connect to a vulnerable device.
  • CVE-2025-20700 & CVE-2025-20701 (CVSS 8.8): These flaws allow an attacker to connect to the device and interact with the RACE protocol.
  • CVE-2025-20702 (CVSS 9.6): This is the most critical flaw. Once connected via the RACE protocol, an attacker can send commands to read from and write to arbitrary memory locations on the chip. This provides a powerful primitive for full device compromise.

Affected Systems

The vulnerabilities affect a wide range of Airoha chipsets used in countless consumer audio products. The specific series mentioned include:

  • Airoha AB156x, AB157x, AB158x, AB159x series
  • Airoha AB1627 chipsets

These chips are found in products from major brands such as Sony, Bose, JBL, Marshall, and Jabra.

Exploitation Status

There is no evidence of these vulnerabilities being exploited in the wild. They were discovered by security researchers and responsibly disclosed to Airoha and affected vendors in June 2025.

Impact Assessment

The ability to achieve remote code execution on a headset has severe implications:

  • Eavesdropping: An attacker could silently activate the headphone's microphone and listen to the user's conversations or surroundings.
  • Data Theft: By dumping the flash memory, an attacker can steal sensitive data, including the Bluetooth link key. This key can be used to impersonate the headphones to the paired smartphone, potentially allowing the attacker to interact with the phone's services (e.g., voice assistant) or intercept data.
  • Device Bricking: A malicious write to memory could permanently damage the device, rendering it unusable.
  • Man-in-the-Middle: An attacker could potentially intercept and modify audio being streamed to the headphones.

Cyber Observables for Detection

  • Bluetooth Scanning: Attackers would start by scanning for Bluetooth devices. Vulnerable devices may have a specific signature in their advertised services corresponding to the RACE protocol.
  • Anomalous Connections: A device receiving a connection and commands from an unpaired, unknown device is a direct indicator of attack.

Detection Methods

  • Firmware Version: The only reliable way for a user to check for vulnerability is to ensure their headphones have the latest firmware installed from the manufacturer.
  • Specialized Scanning: Security professionals could use Bluetooth analysis tools like Scapy or custom scripts to scan for devices that respond to the initial RACE protocol commands.

Remediation Steps

  1. Update Firmware: Users should immediately check for and apply any available firmware updates for their headphones via the manufacturer's official smartphone application. This is the primary method for receiving patches.
  2. Vendor Action: Manufacturers (Sony, Bose, etc.) that use affected Airoha chips are responsible for integrating Airoha's patch into their product-specific firmware and distributing it to customers.
  3. Disable Bluetooth When Not in Use: As a general precaution, turning off headphones or disabling Bluetooth on the paired phone when not in use reduces the window of opportunity for an attacker.

Timeline of Events

1
June 1, 2025
ERNW researchers responsibly disclose the vulnerabilities to Airoha and affected vendors.
2
January 5, 2026
This article was published

MITRE ATT&CK Mitigations

Update Software

M1051enterprise

Applying firmware updates from headphone manufacturers is the primary way for end-users to remediate this vulnerability.

Mapped D3FEND Techniques:

D3-SU

Application Developer Guidance

M0916ics

Airoha and device manufacturers must follow secure coding practices, including implementing authentication on all diagnostic and update protocols.

Disable or Remove Feature or Program

M1042enterprise

Insecure features like the RACE protocol should be disabled in production firmware builds.

Mapped D3FEND Techniques:

D3-ACH

D3FEND Defensive Countermeasures

Software Update

D3-SUMaps to MITREM1051
D3FEND

For end-users of affected headphones from Sony, Bose, JBL, and others, the only effective defense is to perform a software (firmware) update. Users must open the companion app for their specific headphone model on their smartphone and check for any available updates. The manufacturers are responsible for pushing out patched firmware that disables or secures the vulnerable RACE protocol. Given the opaque nature of consumer electronics supply chains, users may not know if their device contains an Airoha chip. Therefore, the best practice is to regularly check for and apply all firmware updates for all connected devices. This action directly fixes the root cause on the device itself.

Application Hardening

D3-AHMaps to MITREM1050
D3FEND

This incident is a clear failure of secure development practices by the chip manufacturer, Airoha. To prevent such flaws, SoC vendors must practice rigorous Application Hardening. Specifically, any diagnostic or administrative interface like RACE must never be exposed in production firmware without mandatory, strong authentication. Such interfaces should be disabled by default and only enabled via a secure, authenticated mechanism. The fact that an unauthenticated protocol allowing arbitrary memory writes was present on consumer devices is a critical design flaw. Secure coding standards, threat modeling, and penetration testing must be part of the SoC development lifecycle to ensure such powerful and dangerous features are not accessible to attackers.

Bluetooth Connection Analysis

D3-BCAMaps to MITREM1047
D3FEND

For security researchers and advanced users, Bluetooth Connection Analysis can be used to identify vulnerable devices. Using tools like Wireshark with a Bluetooth adapter or specialized radio analysis hardware, one can monitor the local environment for Bluetooth advertisements. The vulnerable Airoha devices will likely advertise a specific service UUID corresponding to the RACE protocol. By identifying devices that expose this service, one could build a list of potentially vulnerable assets in an environment. While not a mitigation, this detection technique allows for targeted assessment and can help organizations identify and prioritize the replacement or updating of vulnerable personal electronics used by employees.

Sources & References

5th January – Threat Intelligence Report - Check Point Research
Check Point Research (vertexaisearch.cloud.google.com) January 5, 2026
New Vulnerabilities in Bluetooth Headphones Let Hackers Hijack Connected Smartphone
vertexaisearch.cloud.google.comDecember 29, 2025

Article Author

Jason Gomes

Jason Gomes

• Cybersecurity Practitioner

Cybersecurity professional with over 10 years of specialized experience in security operations, threat intelligence, incident response, and security automation. Expertise spans SOAR/XSOAR orchestration, threat intelligence platforms, SIEM/UEBA analytics, and building cyber fusion centers. Background includes technical enablement, solution architecture for enterprise and government clients, and implementing security automation workflows across IR, TIP, and SOC use cases.

Threat Intelligence & AnalysisSecurity Orchestration (SOAR/XSOAR)Incident Response & Digital ForensicsSecurity Operations Center (SOC)SIEM & Security AnalyticsCyber Fusion & Threat SharingSecurity Automation & IntegrationManaged Detection & Response (MDR)
LinkedIn

Tags

AirohaBluetoothVulnerabilityIoTHeadphonesSonyBoseCVE-2025-20702

📢 Share This Article

Help others stay informed about cybersecurity threats

Continue Reading

Previous All Next