Glad this submission is finally receiving upvotes.
This was just shown at the 39C3 in Hamburg, few days back.
Common (unpached) Bluetooth headsets using Airoha's SoCs can be completely taken over by any unauthenticated bystander with a Linux laptop. (CVE-2025-20700, CVE-2025-20701, CVE-2025-20702)
This includes firmware dumps, user preferences, Bluetooth Classic session keys, current playing track, ...
> Examples of affected vendors and devices are Sony (e.g., WH1000-XM5, WH1000-XM6, WF-1000XM5), Marshall (e.g. Major V, Minor IV), Beyerdynamic (e.g. AMIRON 300), or Jabra (e.g. Elite 8 Active).
Most vendors gave the security researchers either silent treatment or were slow, even after Airoha published fixes. Jabra was one of the positive outlier, Sony unfortunately negatively.
What is exciting, even though the flaws are awful, that it is unlikely for current generation of those Airoha bluetooth headsets to change away from Aiorha's Bluetooth LE "RACE" protocol. This means there is great opportunity for Linux users to control their Bluetooth headsets, which for example is quite nice in an office setting to toggle "hearthrough" when toggling volume "mute" on your machine.
I feel like this should receive state-level attention, the remote audio surveillance of any headset can be a major threat. I wonder what the policies in countries official buildings are when it comes to Bluetooth audio devices, considering that Jabra is a major brand for conference speakers, I'd assume some actual espionage threats.
Haven't watched the video yet, but I think this capability was leaked by VP Kamala Harris during her recent interview with the Late Night Show [0]. She stated she doesn't use wireless headphones because she's been in security meetings and knows they're not safe.
You also don't need to be in classified meetings to understand that Bluetooth/ BLE (and specifically the way most vendors implement the spec) is not as secure as other more battle-tested technologies
I think many people would be justified in making the argument that bluetooth has existed for at least 20 years and thus is the established battle tested protocol.
Yeah, but Bluetooth spec changed a lot over the years (3000+ pages) and the certification price is rather expensive.
There's an interesting article from Wired [1] about this, although some interesting comments from the engineers working on BT stacks are far more interesting. It seems like most of the manufacturers do not create spec-compliant devices, and that the tests from the certification are just poor.
I'd love to hear more from an expert on the topic, but this looks to be the consensus.
What she says isn't necessary untrue, now is it? She just skips a lot of steps most people have no clue about.
I had files in a cabinet, now they are digital. And most often also on a cloud drive, which is metaphysical in some sense. For most it is indistinguishable from magic.
I don't have time right now to watch the video and will be coming back to do so later, but here's a couple of snippets from the text on that page that made me want to bother watching (either they're overhyping it, or it sounds interesting and significant)
> The identified vulnerabilities may allow a complete device compromise. We demonstrate the immediate impact using a pair of current-generation headphones. We also demonstrate how a compromised Bluetooth peripheral can be abused to attack paired devices, like smartphones, due to their trust relationship with the peripheral.
> This presentation will give an overview over the vulnerabilities and a demonstration and discussion of their impact. We also generalize these findings and discuss the impact of compromised Bluetooth peripherals in general. At the end, we briefly discuss the difficulties in the disclosure and patching process. Along with the talk, we will release tooling for users to check whether their devices are affected and for other researchers to continue looking into Airoha-based devices.
[...]
> It is important that headphone users are aware of the issues. In our opinion, some of the device manufacturers have done a bad job of informing their users about the potential threats and the available security updates. We also want to provide the technical details to understand the issues and enable other researchers to continue working with the platform. With the protocol it is possible to read and write firmware. This opens up the possibility to patch and potentially customize the firmware.
Most audiophiles ignore bluetooth headphones due to sound quality + latency, so we (audiophiles) stick to wired at home and we also have dedicated headphone amps since the pissy sound card D/A convertors are incredibly bad. Bluetooth only when I’m doing yard work. Sadly, modern music is tuned to crappy headphones, crappy car systems, crappy speakers … I miss the 80’s audiophile obsession, the equipment had heart, and mixing and mastering was generations ahead of current (mainstream) music production.
Ah yes, the removal of headphone jacks, the gift that keeps on giving
Funny that there were always some people here pushing bt audio as "the future", whom I can only assume were the technically shallow but very opinionated people that would die on the smallest technical hills
I'd assume that most people wouldn't want to get back to wired headphones.
Transition period was definitely rough, but nowadays bluetooth headphones are substantially better than they were in the past, and it's quite freeing to not have to deal with wires.
There are definitely benefits to wired headphones, such as better audio quality and no battery life to worry about, but for those cases there are USB-C DACs.
A couple days ago there was a bit of a conversation about this, you might find it interesting. It seems this feeling (to the point of calling it an "epidemic"!) might be caused by the known bias of thinking that earlier times were better:
LOL.
People not using headphones in public are narcissistic a-holes, but they’ve been doing it since *long* before headphone jacks went missing from smartphones.
This is not a Bluetooth issue. The chip manufacturer Airoha just felt it acceptable to ship a wireless debug interface that allows reading the SoC memory with no authentication whatsoever, enabled in retail customer builds. They are just not a serious company (which is why their security email didn't work, either).
You can't read English like if it was a declarative logical language. It is obviously an hyperbole to say "everyone". It means "a lot of people". So why they didn't say "a lot of people"? Language uses hyperboles to make a point stronger.
Sometimes plugging a cord is a minor inconvenience.
But sometimes it's a large inconvenience
Example: if I'm using my laptop for work but at a slightly longer distance (think, using external monitor/keyboard) then it gets annoying (cord has to hang from the connection, or it gets between you and the keyboard, etc)
This was just shown at the 39C3 in Hamburg, few days back.
Common (unpached) Bluetooth headsets using Airoha's SoCs can be completely taken over by any unauthenticated bystander with a Linux laptop. (CVE-2025-20700, CVE-2025-20701, CVE-2025-20702)
This includes firmware dumps, user preferences, Bluetooth Classic session keys, current playing track, ...
> Examples of affected vendors and devices are Sony (e.g., WH1000-XM5, WH1000-XM6, WF-1000XM5), Marshall (e.g. Major V, Minor IV), Beyerdynamic (e.g. AMIRON 300), or Jabra (e.g. Elite 8 Active).
Most vendors gave the security researchers either silent treatment or were slow, even after Airoha published fixes. Jabra was one of the positive outlier, Sony unfortunately negatively.
What is exciting, even though the flaws are awful, that it is unlikely for current generation of those Airoha bluetooth headsets to change away from Aiorha's Bluetooth LE "RACE" protocol. This means there is great opportunity for Linux users to control their Bluetooth headsets, which for example is quite nice in an office setting to toggle "hearthrough" when toggling volume "mute" on your machine.
RACE Reverse Engineered - CLI Tool: https://github.com/auracast-research/race-toolkit
I feel like this should receive state-level attention, the remote audio surveillance of any headset can be a major threat. I wonder what the policies in countries official buildings are when it comes to Bluetooth audio devices, considering that Jabra is a major brand for conference speakers, I'd assume some actual espionage threats.
Speaking for myself, I have very little patience for technical videos, so I don't believe I've ever upvoted a YouTube submission.
One second thought I think this is called a transcript...
---
Edit: Auto-Transcript! (No timestamps, sorry)
https://jsbin.com/jiqihuveci/edit?html,output
[0] https://youtu.be/BD8Nf09z_38 (Timestamp 18:40)
Out of all the people I would trust on the matter, Kamala Harris doesn't certainly end up at the top of my list, for reasons such as this one: https://youtu.be/O2SLyBL2kdM?si=Zq-EN8zxj4Y_UCwI
You also don't need to be in classified meetings to understand that Bluetooth/ BLE (and specifically the way most vendors implement the spec) is not as secure as other more battle-tested technologies
There's an interesting article from Wired [1] about this, although some interesting comments from the engineers working on BT stacks are far more interesting. It seems like most of the manufacturers do not create spec-compliant devices, and that the tests from the certification are just poor.
I'd love to hear more from an expert on the topic, but this looks to be the consensus.
[1]: https://archive.ph/6201V
I had files in a cabinet, now they are digital. And most often also on a cloud drive, which is metaphysical in some sense. For most it is indistinguishable from magic.
> The identified vulnerabilities may allow a complete device compromise. We demonstrate the immediate impact using a pair of current-generation headphones. We also demonstrate how a compromised Bluetooth peripheral can be abused to attack paired devices, like smartphones, due to their trust relationship with the peripheral.
> This presentation will give an overview over the vulnerabilities and a demonstration and discussion of their impact. We also generalize these findings and discuss the impact of compromised Bluetooth peripherals in general. At the end, we briefly discuss the difficulties in the disclosure and patching process. Along with the talk, we will release tooling for users to check whether their devices are affected and for other researchers to continue looking into Airoha-based devices.
[...]
> It is important that headphone users are aware of the issues. In our opinion, some of the device manufacturers have done a bad job of informing their users about the potential threats and the available security updates. We also want to provide the technical details to understand the issues and enable other researchers to continue working with the platform. With the protocol it is possible to read and write firmware. This opens up the possibility to patch and potentially customize the firmware.
Funny that there were always some people here pushing bt audio as "the future", whom I can only assume were the technically shallow but very opinionated people that would die on the smallest technical hills
Transition period was definitely rough, but nowadays bluetooth headphones are substantially better than they were in the past, and it's quite freeing to not have to deal with wires.
There are definitely benefits to wired headphones, such as better audio quality and no battery life to worry about, but for those cases there are USB-C DACs.
I switched to USB-C soundcard cables which are dirt cheap and survive much much more plug-unplug-cycles. They easily can be replaced.
https://news.ycombinator.com/item?id=46424228
So who is everyone, in your meaning?
https://news.ycombinator.com/item?id=25950845
https://news.ycombinator.com/item?id=45798439
https://news.ycombinator.com/item?id=34667522
https://news.ycombinator.com/item?id=43144607
But sometimes it's a large inconvenience
Example: if I'm using my laptop for work but at a slightly longer distance (think, using external monitor/keyboard) then it gets annoying (cord has to hang from the connection, or it gets between you and the keyboard, etc)