{"id":23526,"date":"2026-01-20T08:00:10","date_gmt":"2026-01-20T01:00:10","guid":{"rendered":"https:\/\/fpt-is.com\/en\/?post_type=goc_nhin_so&#038;p=23526"},"modified":"2026-01-20T10:16:21","modified_gmt":"2026-01-20T03:16:21","slug":"just-10-meters-away-an-attacker-can-turn-headphones-into-a-spying-device","status":"publish","type":"goc_nhin_so","link":"https:\/\/fpt-is.com\/en\/insights\/just-10-meters-away-an-attacker-can-turn-headphones-into-a-spying-device\/","title":{"rendered":"Just 10 meters away, an attacker can turn headphones into a spying device."},"content":{"rendered":"<p class=\"text-2xl leading-snug text-slate-700 dark:text-slate-400 md:text-3xl xl:text-3xl\"><span style=\"font-size: 12pt\">A Bluetooth vulnerability can turn wireless headphones into eavesdropping tools and a stepping stone to infiltrate phones without user interaction.<\/span><\/p>\n<div id=\"post-content-wrapper\" class=\"prose prose-base mx-auto mb-10 min-h-30 break-words dark:prose-dark lg:prose-lg\">\n<h2 id=\"heading-overview\"><span style=\"font-size: 12pt\"><strong>Overview<\/strong><\/span><\/h2>\n<p><span style=\"font-size: 12pt\">Bluetooth headsets have long been considered &#8220;harmless&#8221; personal devices for specific purposes like listening to music, making calls, or supporting virtual assistants. However, at the end of December 2025, security research by\u00a0<strong>ERNW<\/strong>\u00a0discovered a series of zero-day vulnerabilities that completely changed this perception. A series of serious vulnerabilities in Bluetooth chips developed by\u00a0<strong>Airoha Systems<\/strong>\u00a0revealed that\u00a0<strong>wireless headphones can become eavesdropping tools and a perfect entry point for hackers in today&#8217;s cybercrime world.<\/strong><\/span><\/p>\n<p><span style=\"font-size: 12pt\">The trio of serious vulnerabilities, CVE-2025-20700, CVE-2025-20701, and CVE-2025-20702, were found. These vulnerabilities are not in the application or operating system but originate directly from the\u00a0<strong>firmware and internal protocol of the Bluetooth chip<\/strong>. Even more concerning, attackers\u00a0<strong>do not need a connection, authentication, or user interaction<\/strong>; they only need to be within Bluetooth range to exploit them. From reading\/writing headset memory, eavesdropping through the microphone, to stealing connection keys to impersonate the device and access smartphones, the impact goes far beyond traditional Bluetooth risks.<\/span><\/p>\n<h2 id=\"heading-list-of-affected-devices\"><span style=\"font-size: 12pt\"><strong>List of Affected Devices<\/strong><\/span><\/h2>\n<ol>\n<li><span style=\"font-size: 12pt\"><strong>Beyerdynamic<\/strong><\/span>\n<ul>\n<li><span style=\"font-size: 12pt\">Amiron 300<\/span><\/li>\n<\/ul>\n<\/li>\n<li><span style=\"font-size: 12pt\"><strong>Bose<\/strong><\/span>\n<ul>\n<li><span style=\"font-size: 12pt\">QuietComfort Earbuds<\/span><\/li>\n<\/ul>\n<\/li>\n<li><span style=\"font-size: 12pt\"><strong>EarisMax<\/strong><\/span>\n<ul>\n<li><span style=\"font-size: 12pt\">Bluetooth Auracast Sender<\/span><\/li>\n<\/ul>\n<\/li>\n<li><span style=\"font-size: 12pt\"><strong>Jabra<\/strong><\/span>\n<ul>\n<li><span style=\"font-size: 12pt\">Elite 8 Active<\/span><\/li>\n<\/ul>\n<\/li>\n<li><span style=\"font-size: 12pt\"><strong>JBL<\/strong><\/span>\n<ul>\n<li><span style=\"font-size: 12pt\">Endurance Race 2<\/span><\/li>\n<li><span style=\"font-size: 12pt\">Live Buds 3<\/span><\/li>\n<\/ul>\n<\/li>\n<li><span style=\"font-size: 12pt\"><strong>Jlab<\/strong><\/span>\n<ul>\n<li><span style=\"font-size: 12pt\">Epic Air Sport ANC<\/span><\/li>\n<\/ul>\n<\/li>\n<li><span style=\"font-size: 12pt\"><strong>Marshall<\/strong><\/span>\n<ul>\n<li><span style=\"font-size: 12pt\">ACTON III<\/span><\/li>\n<li><span style=\"font-size: 12pt\">MAJOR V<\/span><\/li>\n<li><span style=\"font-size: 12pt\">MINOR IV<\/span><\/li>\n<li><span style=\"font-size: 12pt\">MOTIF II<\/span><\/li>\n<li><span style=\"font-size: 12pt\">STANMORE III<\/span><\/li>\n<li><span style=\"font-size: 12pt\">WOBURN III<\/span><\/li>\n<\/ul>\n<\/li>\n<li><span style=\"font-size: 12pt\"><strong>MoerLabs\u00a0<\/strong><\/span>\n<ul>\n<li><span style=\"font-size: 12pt\">EchoBeatz<\/span><\/li>\n<\/ul>\n<\/li>\n<li><span style=\"font-size: 12pt\"><strong>Sony<\/strong><\/span>\n<ul>\n<li><span style=\"font-size: 12pt\">CH-720N<\/span><\/li>\n<li><span style=\"font-size: 12pt\">Link Buds S<\/span><\/li>\n<li><span style=\"font-size: 12pt\">ULT Wear<\/span><\/li>\n<li><span style=\"font-size: 12pt\">WF-1000XM3<\/span><\/li>\n<li><span style=\"font-size: 12pt\">WF-1000XM4<\/span><\/li>\n<li><span style=\"font-size: 12pt\">WF-1000XM5<\/span><\/li>\n<li><span style=\"font-size: 12pt\">WF-C500<\/span><\/li>\n<li><span style=\"font-size: 12pt\">WF-C510-GFP<\/span><\/li>\n<li><span style=\"font-size: 12pt\">WH-1000XM4<\/span><\/li>\n<li><span style=\"font-size: 12pt\">WH-1000XM5<\/span><\/li>\n<li><span style=\"font-size: 12pt\">WH-1000XM6<\/span><\/li>\n<li><span style=\"font-size: 12pt\">WH-CH520<\/span><\/li>\n<li><span style=\"font-size: 12pt\">WH-XB910N<\/span><\/li>\n<li><span style=\"font-size: 12pt\">WI-C100<\/span><\/li>\n<\/ul>\n<\/li>\n<li><span style=\"font-size: 12pt\"><strong>Teufel<\/strong><\/span>\n<ul>\n<li><span style=\"font-size: 12pt\">Tatws2<\/span><\/li>\n<\/ul>\n<\/li>\n<\/ol>\n<h2 id=\"heading-main-impacts\"><span style=\"font-size: 12pt\"><strong>Main Impacts<\/strong><\/span><\/h2>\n<ul>\n<li><span style=\"font-size: 12pt\">Unauthorized eavesdropping.<\/span><\/li>\n<li><span style=\"font-size: 12pt\">Violation of personal privacy.<\/span><\/li>\n<li><span style=\"font-size: 12pt\">Takeover of paired devices.<\/span><\/li>\n<li><span style=\"font-size: 12pt\">Expansion of attacks to smartphones.<\/span><\/li>\n<li><span style=\"font-size: 12pt\">Widespread risk on a large scale.<\/span><\/li>\n<li><span style=\"font-size: 12pt\">Difficult to detect and monitor.<\/span><\/li>\n<\/ul>\n<h2 id=\"heading-vulnerability-description\"><span style=\"font-size: 12pt\"><strong>Vulnerability Description<\/strong><\/span><\/h2>\n<ol>\n<li><span style=\"font-size: 12pt\"><strong>CVE-2025-20700<\/strong><\/span>\n<ul>\n<li><span style=\"font-size: 12pt\"><strong>Identifier:<\/strong>\u00a0CVE-2025-20700<\/span><\/li>\n<li><span style=\"font-size: 12pt\"><strong>Severity Level:<\/strong>\u00a0High<\/span><\/li>\n<li><span style=\"font-size: 12pt\"><strong>CVSS Score:<\/strong>\u00a08.8<\/span><\/li>\n<li><span style=\"font-size: 12pt\"><strong>Vulnerability Type:<\/strong>\u00a0EoP<\/span><\/li>\n<li><span style=\"font-size: 12pt\"><strong>Description:<\/strong>\u00a0This vulnerability allows remote privilege escalation without requiring additional execution privileges. User interaction is not necessary for this vulnerability.<\/span><\/li>\n<\/ul>\n<\/li>\n<li><span style=\"font-size: 12pt\"><strong>CVE-2025-20701<\/strong><\/span>\n<ul>\n<li><span style=\"font-size: 12pt\"><strong>Identifier:<\/strong>\u00a0CVE-2025-20701<\/span><\/li>\n<li><span style=\"font-size: 12pt\"><strong>Severity Level:<\/strong>\u00a0High<\/span><\/li>\n<li><span style=\"font-size: 12pt\"><strong>CVSS Score:<\/strong>\u00a08.8<\/span><\/li>\n<li><span style=\"font-size: 12pt\"><strong>Vulnerability Type:<\/strong>\u00a0EoP<\/span><\/li>\n<li><span style=\"font-size: 12pt\"><strong>Description:<\/strong>\u00a0This vulnerability allows bypassing permissions and accessing critical data of the RACE protocol through the Bluetooth LE GATT service.<\/span><\/li>\n<\/ul>\n<\/li>\n<li><span style=\"font-size: 12pt\"><strong>CVE-2025-20702<\/strong><\/span>\n<ul>\n<li><span style=\"font-size: 12pt\"><strong>Identifier:<\/strong>\u00a0CVE-2025-20702<\/span><\/li>\n<li><span style=\"font-size: 12pt\"><strong>Severity Level:<\/strong>\u00a0Critical<\/span><\/li>\n<li><span style=\"font-size: 12pt\"><strong>CVSS Score:<\/strong>\u00a09.6<\/span><\/li>\n<li><span style=\"font-size: 12pt\"><strong>Vulnerability Type:<\/strong>\u00a0EoP<\/span><\/li>\n<li><span style=\"font-size: 12pt\"><strong>Description:<\/strong>\u00a0This vulnerability allows bypassing permissions and accessing critical data of the RACE protocol through the Bluetooth LE GATT service.<\/span><\/li>\n<\/ul>\n<\/li>\n<\/ol>\n<h2 id=\"heading-initial-definition\"><span style=\"font-size: 12pt\"><strong>Initial Definition<\/strong><\/span><\/h2>\n<h3 id=\"heading-bluetooth-le-gatt\"><span style=\"font-size: 12pt\"><strong>Bluetooth LE GATT ?<\/strong><\/span><\/h3>\n<p><span style=\"font-size: 12pt\"><a href=\"https:\/\/cdn.fpt-is.com\/en\/sites\/3\/2026\/01\/anh1-1768547265.jpg\"><img decoding=\"async\" class=\"aligncenter size-full wp-image-23534\" src=\"https:\/\/cdn.fpt-is.com\/en\/sites\/3\/2026\/01\/anh1-1768547265.jpg\" alt=\"Anh1 1768547265\" width=\"1200\" height=\"1569\" srcset=\"https:\/\/cdn.fpt-is.com\/en\/sites\/3\/2026\/01\/anh1-1768547265.jpg 1200w, https:\/\/cdn.fpt-is.com\/en\/sites\/3\/2026\/01\/anh1-1768547265-700x915.jpg 700w\" sizes=\"(max-width: 1200px) 100vw, 1200px\" \/><\/a><\/span><\/p>\n<p><span style=\"font-size: 12pt\">As mentioned above, this chain of vulnerabilities is related to\u00a0<strong>Bluetooth LE GATT (Generic Attribute Profile) and the RACE protocol<\/strong>. Before diving into the details of the vulnerabilities, let&#8217;s go through a few definitions in the initial section.<\/span><\/p>\n<p><span style=\"font-size: 12pt\"><strong>Bluetooth LE GATT (Generic Attribute Profile)<\/strong>\u00a0is a\u00a0<strong>data communication model<\/strong>\u00a0used in\u00a0<strong>Bluetooth Low Energy (BLE)<\/strong>, allowing Bluetooth devices to\u00a0<strong>exchange data in a standardized, lightweight, and energy-efficient manner<\/strong>. Simply put,\u00a0<strong>GATT defines how a device reads or writes data from another Bluetooth device<\/strong>.<\/span><\/p>\n<p><span style=\"font-size: 12pt\"><strong>GATT<\/strong>\u00a0is organized in a hierarchical data model.<\/span><\/p>\n<p><span style=\"font-family: arial, helvetica, sans-serif;font-size: 12pt\" data-rmiz=\"\"><a href=\"https:\/\/cdn.fpt-is.com\/en\/sites\/3\/2026\/01\/anh2-1768547264.jpg\"><img decoding=\"async\" class=\"aligncenter size-full wp-image-23533\" src=\"https:\/\/cdn.fpt-is.com\/en\/sites\/3\/2026\/01\/anh2-1768547264.jpg\" alt=\"Anh2 1768547264\" width=\"1200\" height=\"921\" srcset=\"https:\/\/cdn.fpt-is.com\/en\/sites\/3\/2026\/01\/anh2-1768547264.jpg 1200w, https:\/\/cdn.fpt-is.com\/en\/sites\/3\/2026\/01\/anh2-1768547264-700x537.jpg 700w\" sizes=\"(max-width: 1200px) 100vw, 1200px\" \/><\/a><\/span><\/p>\n<h3><\/h3>\n<h3 id=\"heading-what-is-the-race-protocol\"><span style=\"font-size: 12pt\"><strong>What is the RACE Protocol?<\/strong><\/span><\/h3>\n<p><span style=\"font-size: 12pt\"><strong>RACE (Remote Access Control Engine)<\/strong>\u00a0is a\u00a0<strong>vendor-specific protocol<\/strong>\u00a0designed by\u00a0<strong>Airoha Systems<\/strong>, integrated into the\u00a0<strong>Bluetooth chip firmware<\/strong>\u00a0used for headphones, earbuds, and wireless audio devices. In Airoha&#8217;s architecture, RACE functions as the device&#8217;s\u00a0<strong>\u201cmanagement gateway\u201d<\/strong>.<\/span><\/p>\n<p>&nbsp;<\/p>\n<p><span style=\"font-size: 12pt\"><a href=\"https:\/\/cdn.fpt-is.com\/en\/sites\/3\/2026\/01\/anh3-1768547263.jpg\"><img decoding=\"async\" class=\"aligncenter size-full wp-image-23532\" src=\"https:\/\/cdn.fpt-is.com\/en\/sites\/3\/2026\/01\/anh3-1768547263.jpg\" alt=\"Anh3 1768547263\" width=\"1200\" height=\"378\" srcset=\"https:\/\/cdn.fpt-is.com\/en\/sites\/3\/2026\/01\/anh3-1768547263.jpg 1200w, https:\/\/cdn.fpt-is.com\/en\/sites\/3\/2026\/01\/anh3-1768547263-700x221.jpg 700w\" sizes=\"(max-width: 1200px) 100vw, 1200px\" \/><\/a><\/span><\/p>\n<p>&nbsp;<\/p>\n<p><span style=\"font-size: 12pt\">The structural model like this has left some serious security issues with RACE:<\/span><\/p>\n<ul>\n<li><span style=\"font-size: 12pt\">RACE is exposed externally<\/span><\/li>\n<li><span style=\"font-size: 12pt\">Lack of authentication and authorization<\/span><\/li>\n<li><span style=\"font-size: 12pt\">Excessive access privileges<\/span><\/li>\n<\/ul>\n<p><span style=\"font-family: arial, helvetica, sans-serif;font-size: 12pt\" data-rmiz=\"\"><a href=\"https:\/\/cdn.fpt-is.com\/en\/sites\/3\/2026\/01\/anh4-1768547258.jpg\"><img decoding=\"async\" class=\"aligncenter size-full wp-image-23527\" src=\"https:\/\/cdn.fpt-is.com\/en\/sites\/3\/2026\/01\/anh4-1768547258.jpg\" alt=\"Anh4 1768547258\" width=\"1000\" height=\"512\" srcset=\"https:\/\/cdn.fpt-is.com\/en\/sites\/3\/2026\/01\/anh4-1768547258.jpg 1000w, https:\/\/cdn.fpt-is.com\/en\/sites\/3\/2026\/01\/anh4-1768547258-700x358.jpg 700w\" sizes=\"(max-width: 1000px) 100vw, 1000px\" \/><\/a><\/span><\/p>\n<p><span style=\"font-size: 12pt\">During the analysis, experts identified 4 Commands that attackers could use to exploit:<\/span><\/p>\n<ul>\n<li><span style=\"font-size: 12pt\"><strong>Get Build Version (0x1E08):<\/strong>\u00a0This command returns the SOC model as well as the SDK\/firmware version. This inadvertently allows for precise device fingerprinting.<\/span>\n<ul>\n<li><span style=\"font-size: 12pt\">Specific chip line.<\/span><\/li>\n<li><span style=\"font-size: 12pt\">Vulnerable SDK version.<\/span><\/li>\n<li><span style=\"font-size: 12pt\">Build time \u2192 speculate patch level.<\/span><\/li>\n<\/ul>\n<\/li>\n<li><span style=\"font-size: 12pt\"><strong>Read Flash (0x0403):<\/strong>\u00a0This command reads data directly from flash memory, including storage areas, page numbers, and memory addresses. This also leads to proprietary firmware leakage, allowing attackers to extract Bluetooth keys, pairing data, or even the device&#8217;s internal logic.<\/span><\/li>\n<li><span style=\"font-size: 12pt\"><strong>Read\/Write RAM (0x1680 \/ 0x1681):<\/strong>\u00a0This command can read the entire RAM space. As known, RAM stores and contains runtime states, controls execution flow, and directly interacts with hardware. Once these elements are used, attackers can manipulate the device&#8217;s state or simply bypass protection logic.<\/span><\/li>\n<li><span style=\"font-size: 12pt\"><strong>Get BD_ADDR (0x0CD5):<\/strong>\u00a0Returns the device&#8217;s\u00a0<strong>Bluetooth Classic public address (MAC)<\/strong>\u00a0to disable higher-level randomization measures or support passive tracking in public spaces.<\/span><\/li>\n<\/ul>\n<h3 id=\"heading-what-is-ble\"><span style=\"font-size: 12pt\"><strong>What is BLE?<\/strong><\/span><\/h3>\n<p><span style=\"font-size: 12pt\"><strong>Bluetooth Low Energy (BLE)<\/strong>, also known as\u00a0<strong>Bluetooth Smart<\/strong>, was introduced with Bluetooth 4.0.<\/span><\/p>\n<p>&nbsp;<\/p>\n<p><a href=\"https:\/\/cdn.fpt-is.com\/en\/sites\/3\/2026\/01\/anh5-1768547262.jpg\"><img decoding=\"async\" class=\"aligncenter size-full wp-image-23531\" src=\"https:\/\/cdn.fpt-is.com\/en\/sites\/3\/2026\/01\/anh5-1768547262.jpg\" alt=\"Anh5 1768547262\" width=\"1200\" height=\"722\" srcset=\"https:\/\/cdn.fpt-is.com\/en\/sites\/3\/2026\/01\/anh5-1768547262.jpg 1200w, https:\/\/cdn.fpt-is.com\/en\/sites\/3\/2026\/01\/anh5-1768547262-700x421.jpg 700w\" sizes=\"(max-width: 1200px) 100vw, 1200px\" \/><\/a><\/p>\n<p>&nbsp;<\/p>\n<p><span style=\"font-size: 12pt\">The main goals of BLE:<\/span><\/p>\n<ul>\n<li><span style=\"font-size: 12pt\">Maximize battery saving<\/span><\/li>\n<li><span style=\"font-size: 12pt\">Support small devices, IoT<\/span><\/li>\n<li><span style=\"font-size: 12pt\">Intermittent communication, no need for continuous connection<\/span><\/li>\n<\/ul>\n<p><span style=\"font-size: 12pt\">BLE operates on a Client &#8211; Server model<\/span><\/p>\n<ul>\n<li><span style=\"font-size: 12pt\"><strong>GATT Server<\/strong>: BLE devices (e.g., headphones, smartwatches)<\/span><\/li>\n<li><span style=\"font-size: 12pt\"><strong>GATT Client<\/strong>: Phones, computers<\/span><\/li>\n<\/ul>\n<h2 id=\"heading-attack-process\"><span style=\"font-size: 12pt\"><strong>Attack Process<\/strong><\/span><\/h2>\n<p><span style=\"font-size: 12pt\"><a href=\"https:\/\/cdn.fpt-is.com\/en\/sites\/3\/2026\/01\/anh6-1768547261.jpg\"><img decoding=\"async\" class=\"aligncenter size-full wp-image-23530\" src=\"https:\/\/cdn.fpt-is.com\/en\/sites\/3\/2026\/01\/anh6-1768547261.jpg\" alt=\"Anh6 1768547261\" width=\"1200\" height=\"783\" srcset=\"https:\/\/cdn.fpt-is.com\/en\/sites\/3\/2026\/01\/anh6-1768547261.jpg 1200w, https:\/\/cdn.fpt-is.com\/en\/sites\/3\/2026\/01\/anh6-1768547261-700x457.jpg 700w\" sizes=\"(max-width: 1200px) 100vw, 1200px\" \/><\/a><\/span><\/p>\n<p>&nbsp;<\/p>\n<p><span style=\"font-size: 12pt\">First, to exploit a pair of headphones, the attacker needs to connect to them. To do this, the attacker uses\u00a0<strong>CVE-2025-20700<\/strong>\u00a0for initial detection and connection. As mentioned earlier, these headphones often advertise their presence via BLE. Anyone within range (from 10m to 30m) can scan for BLE devices, connect to them, and use the appropriate GATT service to speak the RACE protocol. Here&#8217;s the key point:\u00a0<strong>no user consent<\/strong>\u00a0or button press is needed to connect\u2014something that Bluetooth was originally designed to require.<\/span><\/p>\n<p>&nbsp;<\/p>\n<p><span style=\"font-size: 12pt\"><a href=\"https:\/\/cdn.fpt-is.com\/en\/sites\/3\/2026\/01\/anh7-1768547261.jpg\"><img decoding=\"async\" class=\"aligncenter size-full wp-image-23529\" src=\"https:\/\/cdn.fpt-is.com\/en\/sites\/3\/2026\/01\/anh7-1768547261.jpg\" alt=\"Anh7 1768547261\" width=\"1200\" height=\"503\" srcset=\"https:\/\/cdn.fpt-is.com\/en\/sites\/3\/2026\/01\/anh7-1768547261.jpg 1200w, https:\/\/cdn.fpt-is.com\/en\/sites\/3\/2026\/01\/anh7-1768547261-700x293.jpg 700w\" sizes=\"(max-width: 1200px) 100vw, 1200px\" \/><\/a><\/span><\/p>\n<p>&nbsp;<\/p>\n<p><span style=\"font-size: 12pt\">After successfully connecting to the RACE protocol service, the attacker continues to scan and finds an open GATT service for RACE and accesses it. On Bluetooth Classic, the attacker uses RFCOMM to open a similar channel. Naturally, neither of these processes requires authentication. Since RACE is designed\u00a0<em>for debugging and flashing firmware<\/em>, it has very high privileges on the device.<\/span><\/p>\n<p><span style=\"font-size: 12pt\">The attacker exploited\u00a0<strong>CVE-2025-20701<\/strong>\u00a0at this stage to add a\u00a0<strong>Bluetooth Classic<\/strong>\u00a0channel and used it to:<\/span><\/p>\n<ul>\n<li><span style=\"font-size: 12pt\">Transmit larger data<\/span><\/li>\n<li><span style=\"font-size: 12pt\">Be more stable than BLE<\/span><\/li>\n<li><span style=\"font-size: 12pt\">Interact deeply with the firmware<\/span><\/li>\n<\/ul>\n<p>&nbsp;<\/p>\n<p><span style=\"font-size: 12pt\"><a href=\"https:\/\/cdn.fpt-is.com\/en\/sites\/3\/2026\/01\/anh8-1768547260.jpg\"><img decoding=\"async\" class=\"aligncenter size-full wp-image-23528\" src=\"https:\/\/cdn.fpt-is.com\/en\/sites\/3\/2026\/01\/anh8-1768547260.jpg\" alt=\"Anh8 1768547260\" width=\"1200\" height=\"1064\" srcset=\"https:\/\/cdn.fpt-is.com\/en\/sites\/3\/2026\/01\/anh8-1768547260.jpg 1200w, https:\/\/cdn.fpt-is.com\/en\/sites\/3\/2026\/01\/anh8-1768547260-700x621.jpg 700w\" sizes=\"(max-width: 1200px) 100vw, 1200px\" \/><\/a><\/span><\/p>\n<p>&nbsp;<\/p>\n<p><span style=\"font-size: 12pt\">After gaining access to the target device, the attacker will attempt to take control using\u00a0<strong>CVE-2025-20702<\/strong>\u2014this is the highest-scoring CVE in this attack chain and the ultimate goal for the attackers. By controlling RACE, the attacker can easily:<\/span><\/p>\n<ul>\n<li><span style=\"font-size: 12pt\">Read RAM information<\/span><\/li>\n<li><span style=\"font-size: 12pt\">Read Flash information<\/span><\/li>\n<li><span style=\"font-size: 12pt\">Dump firmware for analysis<\/span><\/li>\n<\/ul>\n<p><span style=\"font-size: 12pt\">With these actions, the attacker can control your headphones and may use the\u00a0<em>Bluetooth Hands-Free Profile (HFP)<\/em>\u00a0to\u00a0<strong>make\/receive calls<\/strong>\u00a0through the headphones. This could lead to\u00a0<strong>eavesdropping on the microphone or making arbitrary calls<\/strong>\u00a0by exploiting the link keys obtained.<\/span><\/p>\n<p><span style=\"font-size: 12pt\">Another noteworthy point is that having\u00a0<strong>link keys<\/strong>\u00a0makes it easy to impersonate the legitimate device to steal data.<\/span><\/p>\n<h2 id=\"heading-conclusion\"><span style=\"font-size: 12pt\"><strong>Conclusion<\/strong><\/span><\/h2>\n<p><span style=\"font-size: 12pt\">The Bluetooth Low Energy vulnerability chain analyzed in this article reveals a concerning reality:\u00a0<strong>devices that seem &#8220;simple&#8221; like wireless headphones actually have a much deeper and more complex attack surface than commonly perceived<\/strong>. Exposing BLE services and internal control protocols without proper authentication, authorization, and access control mechanisms has inadvertently turned headphones into a\u00a0<strong>remote firmware access point<\/strong>.<\/span><\/p>\n<p><span style=\"font-size: 12pt\">From a broader perspective, this research serves as a warning to the entire IoT ecosystem:\u00a0<strong>every debug interface, proprietary protocol, and internal function should be considered a potential attack surface<\/strong>. Only when security is integrated from the design stage\u2014rather than through reactive patching\u2014will smart devices truly be safe in an increasingly complex wireless environment.<\/span><\/p>\n<h2 id=\"heading-recommendations\"><span style=\"font-size: 12pt\"><strong>Recommendations<\/strong><\/span><\/h2>\n<ol>\n<li><span style=\"font-size: 12pt\"><strong>Update headphone firmware as soon as possible<\/strong><\/span>\n<ul>\n<li><span style=\"font-size: 12pt\">Check and update firmware through the manufacturer&#8217;s\u00a0<strong>official app<\/strong>\u00a0(Sony Headphones Connect, Bose Music, JBL Headphones, etc.).<\/span><\/li>\n<li><span style=\"font-size: 12pt\">Prioritize updates as soon as the manufacturer releases a security patch related to Bluetooth.<\/span><\/li>\n<li><span style=\"font-size: 12pt\">Avoid using outdated or unknown source firmware.<\/span><\/li>\n<li><span style=\"font-size: 12pt\">For Sony version<\/span>\n<ul>\n<li><span style=\"font-size: 12pt\"><a href=\"https:\/\/www.sony.com\/electronics\/support\/software\/00355433?utm_source=chatgpt.com\" target=\"_blank\" rel=\"noopener ugc nofollow\">Firmware Update to Version 3.0.0 | Sony USA<\/a><\/span><\/li>\n<\/ul>\n<\/li>\n<li><span style=\"font-size: 12pt\">For Bose version<\/span>\n<ul>\n<li><span style=\"font-size: 12pt\"><a href=\"https:\/\/btu.bose.com\/startConnecting?l=en\" target=\"_blank\" rel=\"noopener ugc nofollow\">Bose Software Updater<\/a><\/span><\/li>\n<\/ul>\n<\/li>\n<li><span style=\"font-size: 12pt\">For JBL version<\/span>\n<ul>\n<li><span style=\"font-size: 12pt\">Android:\u00a0<a href=\"https:\/\/play.google.com\/store\/apps\/details?id=com.jbl.tune.update&amp;pli=1\" target=\"_blank\" rel=\"noopener ugc nofollow\">JBL Firmware Update: On Tune21 &#8211; Apps on Google Play<\/a><\/span><\/li>\n<li><span style=\"font-size: 12pt\">iOS:\u00a0<a href=\"https:\/\/apps.apple.com\/gb\/app\/jbl-firmware-update\/\" target=\"_blank\" rel=\"noopener ugc nofollow\">\u200eApp Store<\/a><\/span><\/li>\n<li><span style=\"font-size: 12pt\"><a href=\"https:\/\/support.jbl.com\/howto\/tune-series-125bt-215bt-firmware-app-info-us\/000018446.html?utm_source=chatgpt.com\" target=\"_blank\" rel=\"noopener ugc nofollow\">Firmware Information &#8211; JBL Firmware Update App<\/a><\/span><\/li>\n<\/ul>\n<\/li>\n<li><span style=\"font-size: 12pt\">For Jabra version<\/span>\n<ul>\n<li><span style=\"font-size: 12pt\"><a href=\"https:\/\/www.jabra.com\/supportpages\/jabra-sound-plus-app\/14501-13\/faq\/how-do-i-update-the-firmware-on-my-jabra-device-using-jabra-soundplus?utm_source=chatgpt.com\" target=\"_blank\" rel=\"noopener ugc nofollow\">How do I update the firmware on my Jabra device using Jabra Sound+? | Jabra Sound+ | FAQ<\/a><\/span><\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<\/li>\n<li><span style=\"font-size: 12pt\"><strong>Turn off Bluetooth when not in use<\/strong><\/span>\n<ul>\n<li><span style=\"font-size: 12pt\">Do not keep Bluetooth on your phone or laptop if it&#8217;s not needed.<\/span><\/li>\n<li><span style=\"font-size: 12pt\">Pay special attention when at:<\/span>\n<ul>\n<li><span style=\"font-size: 12pt\">Coffee shops<\/span><\/li>\n<li><span style=\"font-size: 12pt\">Airports<\/span><\/li>\n<li><span style=\"font-size: 12pt\">Conferences or crowded events<\/span><\/li>\n<li><span style=\"font-size: 12pt\">Work offices<\/span><\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<\/li>\n<li><span style=\"font-size: 12pt\"><strong>Remove unused paired devices<\/strong><\/span>\n<ul>\n<li><span style=\"font-size: 12pt\">Delete old headphones and Bluetooth devices from the &#8220;Paired devices&#8221; list.<\/span><\/li>\n<li><span style=\"font-size: 12pt\">This helps to:<\/span>\n<ul>\n<li><span style=\"font-size: 12pt\">Reduce the risk of exploiting the\u00a0<strong>Bluetooth Link Key<\/strong>.<\/span><\/li>\n<li><span style=\"font-size: 12pt\">Limit attackers from impersonating legitimate devices.<\/span><\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<\/li>\n<li><span style=\"font-size: 12pt\"><strong>Limit the use of Bluetooth headphones in sensitive environments<\/strong><\/span>\n<ul>\n<li><span style=\"font-size: 12pt\">Do not use Bluetooth headphones when:<\/span>\n<ul>\n<li><span style=\"font-size: 12pt\">In internal meetings<\/span><\/li>\n<li><span style=\"font-size: 12pt\">Discussing sensitive information<\/span><\/li>\n<li><span style=\"font-size: 12pt\">Working with important data<\/span><\/li>\n<\/ul>\n<\/li>\n<li><span style=\"font-size: 12pt\">Prefer:<\/span>\n<ul>\n<li><span style=\"font-size: 12pt\">Wired headphones<\/span><\/li>\n<li><span style=\"font-size: 12pt\">Or devices that have confirmed security patches<\/span><\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<\/li>\n<li><span style=\"font-size: 12pt\"><strong>Enhance security for paired devices<\/strong><\/span>\n<ul>\n<li><span style=\"font-size: 12pt\">Enable a strong screen lock (long PIN, biometrics).<\/span><\/li>\n<li><span style=\"font-size: 12pt\">Limit permissions for:<\/span>\n<ul>\n<li><span style=\"font-size: 12pt\">Virtual assistants<\/span><\/li>\n<li><span style=\"font-size: 12pt\">Calling\/messaging features via Bluetooth when the screen is locked.<\/span><\/li>\n<\/ul>\n<\/li>\n<li><span style=\"font-size: 12pt\">Regularly update the phone&#8217;s operating system.<\/span><\/li>\n<\/ul>\n<\/li>\n<\/ol>\n<h2 id=\"heading-reference\"><span style=\"font-size: 12pt\"><strong>Reference<\/strong><\/span><\/h2>\n<ol>\n<li><span style=\"font-size: 12pt\"><a href=\"https:\/\/cybersecuritynews.com\/bluetooth-headphones-vulnerabilities\/\" target=\"_blank\" rel=\"noopener ugc nofollow\">New Vulnerabilities in Bluetooth Headphones Let Hackers Hijack Connected Smartphone<\/a><\/span><\/li>\n<li><span style=\"font-size: 12pt\"><a href=\"https:\/\/www.makeuseof.com\/bluetooth-flaw-turns-popular-headphones-into-eavesdropping-devices\/?utm_source=chatgpt.com\" target=\"_blank\" rel=\"noopener ugc nofollow\">This Bluetooth Flaw Turns Popular Headphones Into Eavesdropping Devices<\/a><\/span><\/li>\n<li><span style=\"font-size: 12pt\"><a href=\"https:\/\/insinuator.net\/2025\/12\/bluetooth-headphone-jacking-full-disclosure-of-airoha-race-vulnerabilities\/\" target=\"_blank\" rel=\"noopener ugc nofollow\">Bluetooth Headphone Jacking: Full Disclosure of Airoha RACE Vulnerabilities \u2013<\/a>\u00a0<a href=\"http:\/\/insinuator.net\/\" target=\"_blank\" rel=\"noopener ugc nofollow\">Insinuator.net<\/a><\/span><\/li>\n<li><span style=\"font-size: 12pt\"><a href=\"https:\/\/www.airoha.com\/product-security-bulletin\/2025\" target=\"_blank\" rel=\"noopener ugc nofollow\">Product Security Bulletin 2025 | Airoha Technology<\/a><\/span><\/li>\n<\/ol>\n<\/div>\n<div class=\"-mt-5 mb-10\">\n<table style=\"width: 943px;height: 93px\">\n<tbody>\n<tr>\n<td><span style=\"font-family: arial, helvetica, sans-serif;font-size: 12pt\"><b>Exclusive article by FPT IS Technology Experts<\/b><\/span><\/p>\n<p><span style=\"font-family: arial, helvetica, sans-serif;font-size: 12pt\"><i><span style=\"font-weight: 400\">Luu Tuan Anh \u2013 FPT IS Cyber Security Center<\/span><\/i><\/span><\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<\/div>\n","protected":false},"author":21,"featured_media":23536,"parent":0,"template":"","nang_luc":[790,821],"danh_muc_goc_nhin_so":[],"dich_vu":[712],"linh_vuc":[],"platform":[],"san_pham":[],"the_goc_nhin_so":[],"class_list":["post-23526","goc_nhin_so","type-goc_nhin_so","status-publish","has-post-thumbnail","hentry","nang_luc-experts-sharing","nang_luc-security","dich_vu-security"],"acf":[],"_links":{"self":[{"href":"https:\/\/fpt-is.com\/en\/wp-json\/wp\/v2\/goc_nhin_so\/23526","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/fpt-is.com\/en\/wp-json\/wp\/v2\/goc_nhin_so"}],"about":[{"href":"https:\/\/fpt-is.com\/en\/wp-json\/wp\/v2\/types\/goc_nhin_so"}],"author":[{"embeddable":true,"href":"https:\/\/fpt-is.com\/en\/wp-json\/wp\/v2\/users\/21"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/fpt-is.com\/en\/wp-json\/wp\/v2\/media\/23536"}],"wp:attachment":[{"href":"https:\/\/fpt-is.com\/en\/wp-json\/wp\/v2\/media?parent=23526"}],"wp:term":[{"taxonomy":"nang_luc","embeddable":true,"href":"https:\/\/fpt-is.com\/en\/wp-json\/wp\/v2\/nang_luc?post=23526"},{"taxonomy":"danh_muc_goc_nhin_so","embeddable":true,"href":"https:\/\/fpt-is.com\/en\/wp-json\/wp\/v2\/danh_muc_goc_nhin_so?post=23526"},{"taxonomy":"dich_vu","embeddable":true,"href":"https:\/\/fpt-is.com\/en\/wp-json\/wp\/v2\/dich_vu?post=23526"},{"taxonomy":"linh_vuc","embeddable":true,"href":"https:\/\/fpt-is.com\/en\/wp-json\/wp\/v2\/linh_vuc?post=23526"},{"taxonomy":"platform","embeddable":true,"href":"https:\/\/fpt-is.com\/en\/wp-json\/wp\/v2\/platform?post=23526"},{"taxonomy":"san_pham","embeddable":true,"href":"https:\/\/fpt-is.com\/en\/wp-json\/wp\/v2\/san_pham?post=23526"},{"taxonomy":"the_goc_nhin_so","embeddable":true,"href":"https:\/\/fpt-is.com\/en\/wp-json\/wp\/v2\/the_goc_nhin_so?post=23526"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}