Security researchers have identified multiple critical vulnerabilities in Bluetooth system-on-chip (SoC) products developed by Airoha, a major supplier of chips used in headphones and earbuds from various brands, including notable names like Beyerdynamic, Marshall, and Sony. These flaws could allow attackers to remotely take control of affected audio devices.

Airoha provides both hardware SoCs and software development kits (SDKs) that many headphone manufacturers use to build their products. According to the cybersecurity firm ERNW, the implementation of a custom protocol within these devices exposes a pathway for attackers to access and manipulate device memory—both RAM and flash storage—via Bluetooth communications.

This custom protocol is accessible through two main channels: Bluetooth Low Energy (BLE) Generic Attribute Profile (GATT), which manages BLE data transfers, and the RFCOMM channel used in Bluetooth Classic (BR/EDR), a virtual serial port connection. Critically, both these communication channels lack proper authentication, allowing unauthorized users to exploit the vulnerabilities without needing to pair or authenticate with the target device.

ERNW highlights that this missing security layer makes it possible for attackers within Bluetooth range to execute takeover attacks. Once compromised, the attacker could read or modify the device’s memory, hijack trust relationships established with other paired devices (such as a smartphone connected to the headphones), and even extract sensitive information like phone numbers from incoming calls.

The consequences of these vulnerabilities are severe: attackers could eavesdrop on conversations, steal media playing through the headphones, or rewrite the device firmware. Firmware modification could lead to full code execution on the device, potentially enabling wormable attacks that spread to other devices.

While the technical complexity of these attacks means that only highly skilled threat actors could realistically carry them out, ERNW warns that high-profile individuals—such as diplomats, journalists, political activists, or those in sensitive industries—could be targeted.

Airoha has reportedly released a patched version of its SDK to address these security issues. However, ERNW has not yet seen any evidence of headphone vendors issuing firmware updates to mitigate the risks, leaving many devices still exposed.

This case underscores the importance of vigilance and timely patching in the connected device ecosystem, especially for products that handle sensitive communications.

Source: https://www.securityweek.com/airoha-chip-vulnerabilities-expose-headphones-to-takeover/