Airoha Bluetooth Flaw Turns Earbuds Into Wiretaps

Apple patched a high-severity Bluetooth vulnerability in Beats Studio Buds this week that could let nearby attackers listen through the device microphone before pairing completes. The flaw stems from Airoha chipsets used across 29 products from Sony, Bose, JBL, Marshall, Jabra, and others.

CVE-2025-20701 carries a CVSS score of 8.8 and requires no user interaction beyond being within Bluetooth range. Security researchers Dennis Heinze and Frieder Steinmetz of ERNW GmbH discovered the vulnerability and disclosed their findings at the TROOPERS security conference in June 2025.

How the Attack Works

The vulnerability exists in Airoha's RACE (Remote Audio Call Enhancement) protocol, a custom debugging interface exposed over Bluetooth without authentication. Attackers can exploit the flaw to:

1. Pair with devices actively seeking pairing requests without user consent
2. Access the microphone on unpaired devices
3. Read and write to device RAM and flash memory
4. Manipulate device firmware

The attack requires specialized tooling and proximity within approximately 10 meters. While that limits mass exploitation, researchers warned the flaw poses real risk to journalists, executives, government officials, and anyone regularly discussing sensitive information in public.

Affected Products

29 products from ten brands embed vulnerable Airoha system-on-chip components:

• Apple: Beats Studio Buds
• Sony: Multiple wireless earbuds and headphones
• Bose: Various Bluetooth audio products
• JBL: Several wireless headphone models
• Marshall: Bluetooth headphones
• Jabra: Enterprise and consumer earbuds
• Beyerdynamic: Wireless headphone lines
• Teufel: Consumer audio products
• JLab: Budget wireless earbuds
• EarisMax/MoerLabs: Various models

The breadth of affected products reflects Airoha's position as a major supplier of Bluetooth audio chips. Any device using the vulnerable SDK versions is potentially exposed.

Vendor Response Varies Widely

Airoha released an updated SDK with authentication checks and patched protocol handlers in mid-2025. However, downstream patching has been inconsistent.

Apple addressed the issue in Beats Firmware Update 1B211, released June 16, 2026. Jabra and Marshall have publicly acknowledged firmware fixes. Beyerdynamic proactively addressed the vulnerability. Sony initially failed to respond to researcher disclosures.

Users of affected products should check for firmware updates through their respective vendor apps. Unlike smartphone operating systems, earbuds and headphones often require manual update checks.

Why This Matters

Bluetooth audio devices have become ubiquitous. People wear them in meetings, on calls with their banks, during medical consultations. A vulnerability that turns these devices into listening stations undermines assumptions about physical security.

The Airoha flaws also highlight supply chain concentration in consumer electronics. A single chipset vendor's security failure ripples across dozens of brands and millions of devices. We saw similar dynamics with the JetBrains plugin compromise affecting 70,000 installs across a trusted marketplace.

For now, users should update firmware where available and consider disabling Bluetooth on audio devices when not in active use. High-risk individuals should treat any wireless audio device as potentially compromised until they can verify patched firmware.