Comment by miduil

9 hours ago

Glad this submission is finally receiving upvotes.

This was just shown at the 39C3 in Hamburg, few days back.

Common (unpached) Bluetooth headsets using Airoha's SoCs can be completely taken over by any unauthenticated bystander with a Linux laptop. (CVE-2025-20700, CVE-2025-20701, CVE-2025-20702)

This includes firmware dumps, user preferences, Bluetooth Classic session keys, current playing track, ...

> Examples of affected vendors and devices are Sony (e.g., WH1000-XM5, WH1000-XM6, WF-1000XM5), Marshall (e.g. Major V, Minor IV), Beyerdynamic (e.g. AMIRON 300), or Jabra (e.g. Elite 8 Active).

Most vendors gave the security researchers either silent treatment or were slow, even after Airoha published fixes. Jabra was one of the positive outlier, Sony unfortunately negatively.

What is exciting, even though the flaws are awful, that it is unlikely for current generation of those Airoha bluetooth headsets to change away from Aiorha's Bluetooth LE "RACE" protocol. This means there is great opportunity for Linux users to control their Bluetooth headsets, which for example is quite nice in an office setting to toggle "hearthrough" when toggling volume "mute" on your machine.

RACE Reverse Engineered - CLI Tool: https://github.com/auracast-research/race-toolkit

I feel like this should receive state-level attention, the remote audio surveillance of any headset can be a major threat. I wonder what the policies in countries official buildings are when it comes to Bluetooth audio devices, considering that Jabra is a major brand for conference speakers, I'd assume some actual espionage threats.

18 comments

miduil

Reply
Namidairo  8 hours ago

> Most vendors gave the security researchers either silent treatment or were slow, even after Airoha published fixes. Jabra was one of the positive outlier, Sony unfortunately negatively.

While I don't recall Sony issuing an advisory, I believe the users of their app would have started getting update notifications since they (quietly) released firmware updates.

> This means there is great opportunity for Linux users to control their Bluetooth headsets, which for example is quite nice in an office setting to toggle "hearthrough" when toggling volume "mute" on your machine.

I think most vendors are using custom services with their own UUIDs for settings such as this.

Regardless, I believe there are open client implementations for some of the more popular devices. Gadgetbridge comes to mind in regards to Android, not sure about any Linux equivalent.

  • miduil  7 hours ago

    Uh totally, I can't believe how much support Gadgetbridge has - wow thanks for the reminder. I'd love to use that on Linux eventually.

macintux  9 hours ago

> Glad this submission is finally receiving upvotes.

Speaking for myself, I have very little patience for technical videos, so I don't believe I've ever upvoted a YouTube submission.

wolvoleo  4 hours ago

Cool! Can you play audio to them too? That would be a practical joker's dream lol.

I'm not surprised Jabra acted quickly. They mainly sell too enterprise which generally care very much about security. Sony is more a consumer mfg now.

mschuster91  4 hours ago

> This means there is great opportunity for Linux users to control their Bluetooth headsets, which for example is quite nice in an office setting to toggle "hearthrough" when toggling volume "mute" on your machine.

Fun fact: There are at least two applications that reverse engineered AirPods' communication protocol for custom controls - AndroPods from 2020 [1] and LibrePods from 2024 [2].

But... mainstream Android has a bug open in their Bluetooth stack for well over a year now that prevents issuing the commands, meaning to actually use the app you need root rights [3].

[1] https://play.google.com/store/apps/details?id=pro.vitalii.an...

[2] https://github.com/kavishdevar/librepods/tree/main

[3] https://issuetracker.google.com/issues/371713238

mi_lk  8 hours ago

> This includes firmware dumps, user preferences, Bluetooth Classic session keys, current playing track, ..

That doesn't sound very serious if they're exposed, is it? Can it be used to eavesdrop my conversation if I'm speaking through the headphone

  • DangerousPie  8 hours ago

    They also demonstrated how this could be used to silently find out someone’s phone number and then hijack a TFA validation call from an app like WhatsApp to take over their account with no user interaction.

    • Fnoord  7 hours ago

      This attack was not silent, it was noisy. They specifically pointed that out in their talk.

  • miduil  8 hours ago

    the session (or pairing key) means you can both connect to the headphone or impersonate it.

    It can toggle the hands-free mode and listen to whatever is being talked, you'd notice that it has switched to the mode though - but if you're headphones are powered on and you're not listening to in they can be used for eavesdropping.

    During the talk they both demonstrate listening to the microphone and also receiving a WhatsApp 2FA call.

    • mi_lk  8 hours ago

      presumably, even in hands-free mode the attacker needs to be very close to the speaker to hear it

IshKebab  8 hours ago

Is this an unintentional vulnerability or is it one of those "we left it open because it's easier and we hoped nobody would notice" kind of things. I mean can you just send a "update to this firmware" command completely unauthenticated and it's like "yep sure"? No signing or anything?