In a recent discovery, Bluetooth devices utilizing system-on-chip (SOC) technology from Airoha Systems have been found to contain a significant vulnerability. This vulnerability allows attackers to gain control over the device by sending specially crafted data over Bluetooth Classic or Bluetooth Low Energy (BLE) without authentication or prior pairing, as long as the victim device is within Bluetooth signal range, approximately 10 meters. The impact of these vulnerabilities extends to various models of wireless headphones, speakers, and microphones manufactured by companies like Sony, Marshall, Beyerdynamic, and other lesser-known brands.
The researchers who identified this vulnerability were able to develop a prototype tool capable of remotely reading and writing data in the random-access memory (RAM) and Flash memory of Bluetooth headphones. In practice, exploiting this vulnerability to gain full access to a headset’s memory could lead to attacks on the user’s smartphone that is paired with the headphones. It has been highlighted that through the headphone-smartphone interaction, an attacker could potentially access the device’s address book, call history, make calls, eavesdrop on conversations, or capture sounds through the microphone.
The attack leverages the features of the Bluetooth Hands-Free Profile (HFP) to interact with compromised headphones and issue commands to a paired smartphone. Given the complexity involved in exploiting these vulnerabilities, it is likely that they would be used in targeted attacks against specific individuals rather than mass exploitation against regular users. Creating tools to exploit these vulnerabilities would require customization for each headphone model, considering the variations in memory layout across different firmware versions.
The vulnerability exploit, known as the “Air attack,” is made possible by identifying three specific vulnerabilities in Airoha’s Bluetooth stack. CVE-2025-20700 and CVE-2025-20701 allow for the establishment of a communication channel via Bluetooth Classic and BLE services without authentication, while CVE-2025-20702 enables a distinct protocol for Airoha’s SOC devices. This extended protocol permits the reading and writing of data in RAM and Flash memory without device pairing via BLE Generic Attribute Profile (Gatt) or Bluetooth Classic RFCOMM.
The researchers reported these vulnerabilities to Airoha on March 25, but only received a response on May 27 after persistent efforts to engage with the company and enlist the cooperation of device manufacturers. Airoha subsequently began disseminating an updated Software Development Kit (SDK) to manufacturers on June 4, incorporating measures to mitigate the vulnerabilities. In late June, following the 90-day disclosure timeline, the researchers published general information about the vulnerabilities while refraining from disclosing detailed protocol information to allow manufacturers additional time to deploy firmware patches.
Some of the devices confirmed to be