Researchers have discovered a security flaw in Bluetooth headphones and earbuds from Sony, JBL and more, allowing attackers to hijack audio devices, eavesdrop and steal phone numbers and contact information.
Cybersecurity firm ERNW identified vulnerabilities in audio products using a Bluetooth System on a Chip (SoC) from manufacturer and supplier Airoha, allowing threat actors to manipulate devices without needing to pair with them.
This SoC is used among many popular brands, with affected devices confirmed to include the Sony WH-1000XM6, Link Buds S, Jabra Elite 8 Active, Bose QuietComfort Earbuds and more.
As noted in the report, the vulnerabilities allow cybercriminals to hijack headphones over Bluetooth, with BLE GATT services and BD/EDR (a.k.a. Bluetooth Classic) missing authentication and leaving these devices open to be taken over without any need for pairing or authentication.
"The vulnerabilities can be triggered via Bluetooth BR/EDR or Bluetooth Low Energy (BLE). Being in Bluetooth range is the only precondition," ERNW reports. "It is possible to read and write the device’s RAM and flash. These capabilities also allow attackers to hijack established trust relationships with other devices, such as the phone paired to the headphones."
The security flaws can lead to threat actors knowing what is currently playing on devices via RAM reading commands, eavesdropping on conversations when the Bluetooth Classic vulnerability is exploited and being able to see a connected device's phone number and incoming calls.
It's important to note that these vulnerabilities can only be exploited if an attacker is within Bluetooth range of a device (around 10 meters), and requires several steps to achieve hijacking without being noticed — with ERNW noting that it would take a "high technical skill set."
So, while it's possible for cybercriminals to take advantage of these flaws in headphones or earbuds using Airoha Bluetooth SoCs (especially if they're wireless), they would need to be in close range.
What devices are affected?
While many audio products, including headphones, earbuds, speakers and wireless microphones, are known to use Airoha's Bluetooth chip, the cybersecurity firm has confirmed a list of devices that are affected.
Here's a look at the devices that are exposed to the vulnerability:
- Beyerdynamic Amiron 300
- Bose QuietComfort Earbuds
- EarisMax Bluetooth Auracast Sender
- Jabra Elite 8 Active
- JBL Endurance Race 2
- JBL Live Buds 3
- Jlab Epic Air Sport ANC
- Marshall Action III
- Marshall Major V
- Marshall Minor IV
- Marshall Motif II
- Marshall Stanmore III
- Marshall Woburn III
- MoerLabs EchoBeatz
- Sony CH-720N
- Sony Link Buds S
- Sony ULT Wear
- Sony WF-1000XM3
- Sony WF-1000XM4
- Sony WF-1000XM5
- Sony WF-C500
- Sony WF-C510-GFP
- Sony WH-1000XM4
- Sony WH-1000XM5
- Sony WH-1000XM6
- Sony WH-CH520
- Sony WH-XB910N
- Sony WI-C100
- Teufel Tatws2
However, it's expected that many more audio devices with the SoC are also exposed to the security flaw, but it's virtually impossible to test them all with the amount out there. ERNW states that "some vendors are not even aware that they are using an Airoha SoC," due to parts like the Bluetooth chip being outsourced for development.
Since these headphones, earbuds and more are from popular brands, including the latest Sony WH-1000XM6, it's likely that many people are at risk of the vulnerability.
How to stay safe
While many of the best headphones and best wireless earbuds are affected, an attack that exploits these security flaws would only take place if a cybercriminal is in range. So, as with any Bluetooth attack, it's a good idea to be cautious when in public spaces, such as public transport, cafés and more.
The only real way to stay safe from these types of attacks is to disable Bluetooth, which isn't ideal for wireless headphones and earbuds. Of course, it's also best to use wired options that don't require Bluetooth, such as the Sennheiser IE 200 wired earbuds.
As this leaves many audio products open to attack, Airoha has now fixed the vulnerabilities in a Software Development Kit (SDK). A new version with the fixes has been sent to manufacturers as of the first week of June, meaning brands such as Sony, JBL, Marshall and others should have a firmware update available with the fixes so users can update their devices with the latest patch.
Currently, ERNW isn't aware of any fixed firmware releases, but as soon as one is available, users with affected devices should update their headphones, earbuds and more to make sure they aren't at risk.
To keep yourself safe from any online threats that these security vulnerabilities may exploit, it's best to use the best antivirus software and best password managers, too.
More from Tom's Guide
You must confirm your public display name before commenting
Please logout and then login again, you will then be prompted to enter your display name.
