Bluetooth flaw exposes millions of premium headphones to spying

Bluetooth headphones are supposed to make life easier. You put them on, press play and forget they exist. But researchers have found that some of the most popular audio products on the market might be doing more than streaming your playlist. 

Sign up for my FREE CyberGuy ReportGet my best tech tips, urgent security alerts and exclusive deals delivered straight to your inbox. Plus, you'll get instant access to my Ultimate Scam Survival Guide -c free when you join my CYBERGUY.COM/NEWSLETTER

To be clear, these are not casual attacks. They require close proximity and technical expertise. But when successful, the results are concerning. Researchers showed that they could extract call logs, contact lists and media being played. They could even force a phone to place a call without the user's knowledge. Once connected, they could listen in on any sound the phone picked up.

ERNW researchers have identified the following devices as vulnerable:

Keep in mind that this list may not include every product affected by these vulnerabilities. As more research emerges, the list could change. Furthermore, not every device faces all the same risks. For instance, at least one manufacturer seems to have already addressed CVE-2025-20700 and CVE-2025-20701. However, we do not know if this fix was intentional or accidental.

Because of these factors, getting a complete and accurate picture of which devices are truly secure remains a challenge. As a consumer, you should stay alert for updates and check with your device's manufacturer for the latest information.

Airoha has addressed the vulnerabilities in its software development kit (SDK) and released an updated version to device manufacturers in early June. These manufacturers are now responsible for building and distributing firmware updates to affected products. If you haven't seen an update yet, it should be arriving soon, though some may already be available.

However, there's a catch. According to a report by German outlet Heise, many of the most recent firmware updates for affected devices were released before Airoha provided its official fix. This means some products may still be running vulnerable code, despite appearing up to date.

To make matters more complicated, consumers typically aren't notified directly about these updates. Firmware patches for headphones and similar devices often install silently, or in some cases, may not be delivered at all. As a result, most users have no way of knowing whether their devices are secure or still exposed to risk.

We reached out to all 10 companies for a comment, but did not hear back before our deadline.

1. Regularly check for firmware updates: Visit the manufacturer's app or website to manually check for firmware updates, even if you haven't received a notification. Automatic updates aren't always reliable, especially for headphones and earbuds.

2. Turn off Bluetooth when not in use: Disabling Bluetooth when you're not actively using it reduces your exposure window and makes it harder for attackers to target your device.

3. Use devices in low-risk areas: Since these attacks require close proximity, avoid using Bluetooth audio devices in crowded or unfamiliar public places where someone nearby could exploit vulnerabilities.

4. Pair devices with trusted sources only: Avoid pairing your Bluetooth headphones with unfamiliar phones, computers or public terminals. Once paired, those devices can sometimes maintain a connection or reestablish one without your knowledge, increasing the risk of abuse if they're compromised.

5. Remove unused paired devices: Go into your Bluetooth settings and delete old or unfamiliar pairings. This helps prevent unauthorized reconnections from previously trusted devices that may now be compromised.

The real concern here isn't the Bluetooth flaw itself, but what happens when the software inside everyday devices fails quietly. Vulnerabilities like this aren't unusual, but the way they are handled often leaves users in the dark. As long as consumers can't see or control the software running inside their own headphones, problems like this will keep happening.

Should manufacturers be required to notify users directly when security flaws are discovered in their products? Let us know by writing us at Cyberguy.com/Contact

Sign up for my FREE CyberGuy ReportGet my best tech tips, urgent security alerts and exclusive deals delivered straight to your inbox. Plus, you'll get instant access to my Ultimate Scam Survival Guide - free when you join my CYBERGUY.COM/NEWSLETTER 

Copyright 2025 CyberGuy.com.  All rights reserved.