Bluetooth earbuds have become an everyday companion for millions of users worldwide. From listening to music and taking calls to using voice assistants, wireless headphones are deeply connected to our digital lives. However, new security research has revealed a serious threat headphone jacking which is hiding inside popular Bluetooth earbuds a set of critical flaws that allow hackers to spy on users and even take control of their smartphones.
Security researchers from ERNW Enno Rey Netzwerke GmbH have published a detailed white paper titled “Airoha RACE: Bluetooth Headphone Vulnerabilities”, exposing multiple security weaknesses in widely used Bluetooth audio chips. These vulnerabilities impact millions of True Wireless Stereo (TWS) earbuds from well-known brands such as Sony, JBL, Marshall, Jabra, and Beyerdynamic.
The researchers warn that these flaws enable a new type of attack they call “Headphone Jacking.”
Headphone Jacking is a cyberattack technique where hackers exploit vulnerable Bluetooth earbuds to gain access to the user’s connected smartphone. Instead of attacking the phone directly, attackers use the headphones as an entry point.
Because earbuds are often trusted devices with microphone access and Bluetooth permissions, compromising them can lead to serious privacy and security risks.
The vulnerabilities are found in Bluetooth Systems on a Chip (SoCs) manufactured by Airoha, a major supplier for audio device makers. These chips are embedded in millions of earbuds and headphones currently in use.
At the center of the issue is a proprietary diagnostic protocol called RACE, which was designed for internal factory testing and debugging.
Unfortunately, researchers discovered that:
-
The RACE protocol is still active on production devices
-
It is exposed over Bluetooth Classic and Bluetooth Low Energy (BLE)
-
It lacks any form of authentication
In simple terms, this means anyone within Bluetooth range can connect to the headphones without pairing or user approval.
Once connected via the RACE protocol, attackers gain deep access to the earbuds. According to the researchers, this access includes:
-
Reading and writing device memory
-
Accessing flash storage
-
Controlling internal functions
This is far more dangerous than basic Bluetooth misuse.
The report clearly states that the issue is caused by “missing authentication combined with a powerful debug-like protocol.”
One of the most alarming findings is that attackers can activate and access the microphone inside the earbuds.
This allows hackers to:
-
Eavesdrop on nearby conversations
-
Listen to phone calls
-
Monitor surroundings without the user knowing
Because no Bluetooth pairing is required, users receive no alerts or warnings during the attack.
The researchers confirmed that even metadata related to currently playing audio can be extracted, revealing what the user is listening to in real time.
The real danger begins when attackers chain multiple vulnerabilities together.
Using the exposed RACE protocol, hackers can dump the earbud’s internal flash memory and steal the Bluetooth Link Key — the cryptographic secret that establishes trust between the headphones and the smartphone.
With this key, attackers can impersonate the trusted earbuds and connect directly to the victim’s phone.
This enables attackers to:
-
Trigger voice assistants like Google Assistant or Siri
-
Send text messages
-
Accept phone calls silently
-
Listen to call audio remotely
In effect, the smartphone becomes a remote surveillance device.
The vulnerabilities are tracked under the following CVE identifiers:
CVE-2025-20700
CVE-2025-20701
CVE-2025-20702
The researchers confirmed the flaws in multiple popular models, including:
Sony: WH-1000XM5, WF-1000XM5, LinkBuds S
JBL: Live Buds 3, Endurance Race 2
Marshall: Major V, Acton III
Beyerdynamic: Amiron 300
Given the widespread use of Airoha chips, the actual number of affected devices is likely much higher.
Some vendors, such as Jabra, have started releasing firmware updates to address the issue. However, the Bluetooth ecosystem is highly fragmented.
According to the researchers:
“Due to the sheer number of potentially affected devices, there is no clear overview of the current patch status.”
Many users may never receive updates, especially for older or budget models.
Security experts recommend the following steps:
Check for firmware updates from the device manufacturer
Install updates immediately if available
Disable Bluetooth when not in use
Avoid using Bluetooth headphones in sensitive environments
For advanced users, ERNW has released a RACE Toolkit to test whether a device is vulnerable.
The report offers a strong warning for journalists, executives, activists, and government officials.
“Individuals who consider themselves high-risk targets are advised to use wired headphones instead of Bluetooth headphones.”
Wired devices do not expose wireless attack surfaces and remain the safest option for sensitive conversations.
The Headphone Jacking attack highlights a growing problem in consumer electronics security. Devices designed for convenience often sacrifice security, creating hidden risks for users.
As Bluetooth devices continue to evolve, manufacturers must ensure that debug features are disabled, authentication is enforced, and security testing is taken seriously — not just for smartphones and laptops, but for every connected device we use daily.
Interesting Article : Critical LangChain Vulnerability (CVE-2025-68664) Puts LLM Apps at Risk
Pingback: IBM API Connect Hit by CVE-2025-13915 Authentication Bypass Bug