Bluetooth headphones, once a symbol of convenience, may now be a vector for privacy breaches. Researchers from cybersecurity firm ERNW have uncovered vulnerabilities in Airoha Bluetooth chips used in 29 devices from Sony, Bose, JBL, Jabra, and Marshall. These flaws could enable attackers to access personal data, eavesdrop on conversations, and even remotely manipulate devices, posing a significant threat to user privacy and security.
Among the vulnerabilities identified, the most critical allows an attacker to read or manipulate data by exploiting a custom protocol used in the Airoha chips. The three flaws, each assigned a CVE number, have been rated between medium and high severity. ERNW researchers demonstrated that they could extract call logs, contact lists, and media being played without direct user interaction. In one proof-of-concept, the researchers successfully retrieved Bluetooth link keys from a headphone’s memory, allowing them to impersonate the device and hijack the connection to a phone.
With access to the Bluetooth Hands-Free Profile, attackers could issue commands to the phone, potentially leading to unauthorized actions such as initiating calls or controlling audio playback. However, these attacks require close proximity and technical expertise, meaning they are not easily exploitable by casual attackers. Despite this, the potential for misuse is significant, particularly in scenarios involving data privacy and surveillance.
Some manufacturers, like Jabra, have already addressed certain vulnerabilities, but the extent of the fix remains unclear. Airoha has patched the issues in its software development kit (SDK) and provided updated versions to device manufacturers. However, many devices may still be running outdated firmware due to delays in distributing the patches. Consumers are encouraged to manually check for firmware updates and disable Bluetooth when not in use to reduce exposure risks.
The real danger lies not only in the technical flaws but also in the lack of transparency and direct consumer notification. The challenge of keeping users informed about firmware updates and security patches highlights a broader issue in the industry. As long as users cannot control the software running inside their devices, security vulnerabilities will continue to pose risks. Experts argue that mandatory notification policies for manufacturers could help ensure users are aware of potential threats to their devices.
While the immediate financial impact on consumers may be limited, the broader implications for consumer trust and the reputation of affected manufacturers could be significant. The incident underscores the need for robust security practices and proactive measures to protect user data. As the demand for wireless audio devices continues to grow, the importance of addressing such vulnerabilities becomes increasingly critical.