耳机劫持：蓝牙耳机中的Airoha RACE关键漏洞可被用于劫持智能手机

Your Bluetooth headphones might be doing more than just playing your favorite tunes—they could be handing over the keys to your digital life. A new report from ERNW Enno Rey Netzwerke GmbH has exposed a trio of critical vulnerabilities in chips used by major audio brands, allowing attackers to eavesdrop on conversations and even hijack the connected smartphone.

The research, detailed in a white paper titled “Airoha RACE: Bluetooth Headphone Vulnerabilities,” focuses on a widespread series of Bluetooth Systems on a Chip (SoCs) manufactured by Airoha. These chips power millions of “True Wireless Stereo” (TWS) earbuds and headphones from industry giants like Sony, JBL, Marshall, and Jabra.

At the heart of the issue is a proprietary diagnostic protocol called RACE. Intended for factory debugging, this powerful tool was essentially left “unlocked” on production devices, exposed over Bluetooth Classic and Bluetooth Low Energy (BLE).

“In essence, the issues can be summarized as missing authentication in combination with a powerful debug-like protocol,” the report states.

Because the protocol lacks authentication, any attacker within Bluetooth range can connect to the headphones without the user ever knowing. Once connected, the RACE protocol grants “extensive access to the devices,” allowing intruders to read and write to the device’s memory and flash storage .

This isn’t just about changing volume levels. The researchers demonstrated that they could “read out metadata related to the currently playing media,” effectively spying on what the user is listening to. More alarmingly, the lack of basic pairing security allows attackers to hijack the microphone directly.

“The lack of pairing does not only enable unauthenticated attackers to use the RACE protocol. It constitutes a vulnerability on its own… This might allow eavesdropping via the device’s microphone”.

While hacking headphones is concerning, the real danger lies in what researchers call “Headphone Jacking.” By chaining these vulnerabilities together, attackers can pivot from the earbuds to the user’s smartphone.

The attack works by dumping the headphone’s flash memory to steal the Bluetooth Link Key—the cryptographic secret that establishes trust between the phone and the headset.

“When the three vulnerabilities are chained together, the impact can be shifted from ‘hacking headphones’ to ‘compromising the phone,'” the researchers warn.

Armed with this key, an attacker can impersonate the trusted headphones and connect directly to the victim’s phone. From there, the possibilities are terrifying. The report details scenarios where attackers could “trigger voice assistants,” “send text messages,” or even “silently accept a call and receive the audio stream,” turning the phone into a remote bug.

The vulnerabilities, tracked as CVE-2025-20700, CVE-2025-20701, and CVE-2025-20702, affect a staggering array of popular devices. The researchers verified the flaws in models including:

Sony: WH-1000XM5, WF-1000XM5, LinkBuds S
JBL: Live Buds 3, Endurance Race 2
Marshall: Major V, Acton III
Beyerdynamic: Amiron 300

While some manufacturers like Jabra have begun releasing patches, the fragmentation of the Bluetooth market means many users remain at risk. “Due to the sheer amount of devices that are potentially still affected, there is no proper overview over the current status of fixes,” the report notes.

Security experts are urging users to check for firmware updates immediately. ERNW has also released a RACE Toolkit for technical users to verify if their devices are vulnerable.

“Individuals that consider themselves high risky targets… are advised to use wired headphones instead of Bluetooth headphones,” the report concludes.

Related Posts: