Security Flaw in Bluetooth Headphones: Many Brands Affected

June 27, 2025, 3:15 pm | Read time: 3 minutes

Security researchers from Germany have discovered significant vulnerabilities in Bluetooth headphones that allow eavesdropping or initiating calls–all without prior pairing. Devices from numerous well-known manufacturers are affected, yet many users remain unaware of the risks.

This involves a security flaw in chips from a well-known manufacturer, which are installed in many Bluetooth headphones from popular brands such as Sony, Bose, JBL, Jabra, and Marshall. The discovered vulnerabilities enable attackers to take over headphones remotely without needing a prior connection. Sensitive actions like eavesdropping on conversations or initiating phone calls are possible under certain conditions.

Security Flaws in Bluetooth Chips Enable Remote Access

Researchers from the Heidelberg IT security company Enno Rey Netzwerke GmbH (ERNW) have identified several security flaws in Bluetooth chips from the Taiwanese manufacturer Airoha. The researchers presented their findings at the Troopers security conference in Heidelberg. The vulnerabilities affect several SoCs (Systems-on-a-Chip) from Airoha, which are used in True Wireless headphones, among others.

Through specially programmed protocols, attackers can access the working and flash memory of the devices. Being within Bluetooth range–about ten meters–is sufficient. Although Airoha has already provided a software update, users are still waiting for firmware updates from the manufacturers.

The attack requires neither prior pairing nor authentication. It can be used to read current media titles, capture contact data, or manipulate existing trust relationships with paired smartphones. In practice, the researchers demonstrated how connection data could trigger a call on the smartphone–a potential gateway for eavesdropping via the built-in microphone.

Every Fourth Smartphone Dangerous Security Flaw Affects Millions of Android Smartphones

Apple is expected to release the iOS 26.3 update for all compatible iPhones soon.

Now available iOS 26.3 Is Here! Should You Install the Update Right Away?

Over 100 Models Potentially Affected

According to ERNW, the security flaws have been confirmed in 29 Bluetooth headphones, but far more models are likely affected. The list includes models such as Sony WH-1000XM4 to WH-1000XM6, JBL Live Buds 3, Bose QuietComfort Earbuds, Jabra Elite 8 Active, and various Marshall devices like Major V and Stanmore III. Teufel, Jlab, Xiaomi, and other brands are also affected.

Researchers estimate that more than 100 different models could be vulnerable–and many manufacturers are unaware that Airoha chips are used in their products.

Updates Are Slow to Arrive

Airoha provided manufacturers with an updated version of its software on June 4. However, this must be passed on to end users as a firmware update by the device manufacturers. So far, no newer firmware versions have appeared on affected devices that were created after the patch date. Users should therefore regularly check the manufacturers’ apps for updates or contact customer support.

Experts emphasize that real attacks are complex and technically demanding. They require immediate physical proximity to the target device and specialized expertise. An attack is also not possible over the internet. Therefore, the warning is primarily directed at particularly vulnerable individuals such as journalists, diplomats, activists, or employees in security-relevant industries. For private everyday use, the risk is currently low.

This article is a machine translation of the original German version of TECHBOOK and has been reviewed for accuracy and quality by a native speaker. For feedback, please contact us at info@techbook.de.