At the TROOPERS security conference in Germany, researchers at cybersecurity company ERNW disclosed three vulnerabilities in the Airoha systems on a chip (SoCs), which are widely used in True Wireless Stereo (TWS) earbuds. While such an attack may not present a great risk, other scenarios leveraging the three bugs could let a threat actor hijack the connection between the mobile phone and an audio Bluetooth device and use the Bluetooth Hands-Free Profile (HFP) to issue commands to the phone. Vulnerabilities affecting a Bluetooth chipset present in more than two dozen audio devices from ten vendors can be exploited for eavesdropping or stealing sensitive information. The security problems could be leveraged to take over a vulnerable product and on some phones, an attacker within connection range may be able to extract call history and contacts. The researchers were able to trigger a call to an arbitrary number by extracting the Bluetooth link keys from a vulnerable device’s memory. Furthermore, the vulnerable device’s firmware could potentially be rewritten to enable remote code execution, thereby facilitating the deployment of a wormable exploit capable of propagating across multiple devices. Although the ERNW researchers present serious attack scenarios, practical implementation at scale is constrained by certain limitations. Researchers confirmed that 29 devices from Beyerdynamic, Bose, Sony, Marshall, Jabra, JBL, Jlab, EarisMax, MoerLabs, and Teufel are affected. ERNW researchers say they created a proof-of-concept exploit code that allowed them to read the currently playing media from the targeted headphones. Nevertheless, German publication Heise says that the most recent firmware updates for more than half of the affected devices are from May 27 or earlier, which is before Airoha delivered the updated SDK to its customers.
This Cyber News was published on www.bleepingcomputer.com. Publication date: Sun, 29 Jun 2025 16:10:18 +0000