Security Flaw in Bluetooth Headphones: Many Brands Affected

June 27, 2025, 3:15 pm | Read time: 3 minutes

Security researchers from Germany have discovered significant vulnerabilities in Bluetooth headphones that allow eavesdropping on conversations or initiating calls–all without prior pairing. Devices from numerous well-known manufacturers are affected, yet many users are likely unaware of the risks.

This involves a security flaw in chips from a well-known manufacturer, which are installed in many Bluetooth headphones from popular brands such as Sony, Bose, JBL, Jabra, and Marshall. The discovered vulnerabilities enable attackers to take control of headphones remotely without needing a prior connection. Under certain conditions, sensitive actions like eavesdropping on conversations or starting phone calls are also possible.

Security Flaws in Bluetooth Chips Allow Remote Access

Researchers from the Heidelberg IT security company Enno Rey Netzwerke GmbH (ERNW) have identified several security flaws in Bluetooth chips from the Taiwanese manufacturer Airoha. The researchers presented their findings at the Troopers security conference in Heidelberg. The vulnerabilities affect several SoCs (Systems-on-a-Chip) from Airoha, which are used in true wireless headphones, among other devices.

Through specially programmed protocols, attackers can access the working and flash memory of the devices. It is sufficient to be within Bluetooth range–about ten meters away. Although Airoha has already provided a software update, users are still waiting in vain for firmware updates from the manufacturers.

The attack requires neither prior pairing nor authentication. It allows for reading current media titles, capturing contact data, or manipulating existing trust relationships with paired smartphones. In practice, the researchers demonstrated how the extracted connection data could trigger a call on the smartphone–a potential gateway for eavesdropping through the built-in microphone.

Every Fourth Smartphone Dangerous Security Flaw Affects Millions of Android Smartphones

Apple is expected to release the iOS 26.3 update for all compatible iPhones soon.

Now available iOS 26.3 Is Here! Should You Install the Update Right Away?

Over 100 Models Potentially Affected

According to ERNW, the security flaws have been confirmed in 29 Bluetooth headphones, but many more models are likely affected. The list includes models such as Sony WH-1000XM4 to WH-1000XM6, JBL Live Buds 3, Bose QuietComfort Earbuds, Jabra Elite 8 Active, and various Marshall devices like Major V and Stanmore III. Brands like Teufel, Jlab, Xiaomi, and others are also affected.

The researchers estimate that more than 100 different models could be vulnerable–and many manufacturers are not even aware that Airoha chips are installed in their products.

Updates Are Slow to Arrive

Airoha provided manufacturers with an updated version of its software on June 4. However, this must be passed on to end users as a firmware update by the device manufacturers. So far, no newer firmware versions have appeared on affected devices that were created after the patch date. Users should therefore regularly check the manufacturers’ apps for updates or contact customer support.

The experts emphasize that real attacks are complex and technically demanding. They require immediate physical proximity to the target device and specialized expertise. An attack is also not possible over the internet. Therefore, the warning is primarily directed at particularly vulnerable individuals such as journalists, diplomats, activists, or employees in security-relevant industries. For private everyday use, the risk is currently low.

This article is a machine translation of the original German version of TECHBOOK and has been reviewed for accuracy and quality by a native speaker. For feedback, please contact us at info@techbook.de.