【C:虎】60点【その他】【CVE-2025-20702, CVE-2025-20700, CVE-2025-20701】【heise.de】
Bluetoothヘッドホン(主にAirohaチップ搭載)の未認証脆弱性。日本の主要メーカー製品も対象。未認証攻撃が可能。
■ソース
https://www.heise.de/en/news/Zero-day-Bluetooth-gap-turns-millions-of-headphones-into-listening-stations-10460704.html
■概要
ドイツのセキュリティ企業ERNWが、Airoha製Bluetooth
SoC搭載のTWSヘッドホン等で見つかった深刻なゼロデイ脆弱性を公表。未認証でヘッドホンのメモリや接続を制御できるため、対象機器の遠隔盗聴や情報窃取が可能となる。SonyやJBL等、日本で普及する多数のヘッドホンが影響を受けるが、現時点でPoC未公開かつ攻撃の実用難易度も高いとされる。
■詳細
本脆弱性は、Airoha社のBluetooth
SoC(特にTWSイヤホン等に広く採用)に独自プロトコルが実装されている点に起因しています。BLE(Bluetooth Low
Energy)と“クラシック”Bluetooth
(BD/EDR)を通じて、外部から機器のFlashやRAMに無認証アクセス及び操作が可能であり、ヘッドホンの接続中スマートフォンへの割り込み、盗聴、メモリ読出し(ユーザーが再生している音楽や通話情報、連絡先等)などが実行できます。
具体的な攻撃シナリオは①ヘッドホンとスマホの間でやり取りされるBT暗号鍵を取得・接続制御、②意図的に通話を発生させ、その内容を傍受、③ヘッドホン内蔵マイクを用いた“盗聴器化”等があります。物理範囲としてBluetooth電波内(数m程度)に攻撃者が入る必要はあるものの、端末ユーザーのアクションを必要とせず、未認証で攻撃が完結します。ただしRAMのメモリアドレスがデバイスごとに異なるほか、多段階の技術的工程が必要であり、「すれ違いざまの即時攻撃」等は困難です。
影響範囲として、Sony, JBL, Bose,
Marshallなど世界的・国内的にも普及した主要メーカーの一部機種(型番リストはソース参照)が挙げられています。更に各社のエンタープライズ導入事例もあり、日本国内への波及は大きいと考えられます(Apple純正AirPods系は対象外)。
CVSSスコアは最高9.6(CVE-2025-20702)、重要度はAiroha社と発見者間で評価が分かれる部分もあるものの、3件のCVE(CVE-2025-20702,
CVE-2025-20700, CVE-2025-20701)が割当てられています。
現時点では、ファームウェア・アップデートの提供可否が未定、かつPoCや攻撃手順の詳細公開は控えられている状況です。修正SDKがリリースされたのは2025年6月4日ですが、大半の製品にはまだ修正が反映されていません。
■所感
今回の脆弱性は未認証で攻撃可能、かつ国内外の主要ヘッドホンが対象であるためインパクトは大ですが、“クライアント機器”であること・外部ネット晒しではなくBluetooth電波内への物理接近が必須であること、PoC未公開、即効性攻撃の難しさにより減点。今年発表の深刻なクライアントサイド脆弱性事例として評価できます。一方、キーメーカー(Sony,
JBL, Bose)が複数名指しで挙げられ、その国内影響度やCVE詳細公開、未認証性、たとえば盗聴・情報漏えいリスクへの応用可能性から加点しました。攻撃ベクトルが外部ネットワーク(インターネット)ではなく、主に物理的至近範囲に限定されることも考慮し、評価点は60点(C:虎)とします。
■ソース
https://www.heise.de/en/news/Zero-day-Bluetooth-gap-turns-millions-of-headphones-into-listening-stations-10460704.html
■ソース本文
Zero-day: Bluetooth gap turns millions of headphones into listening stations
A serious security vulnerability in many Bluetooth headphones allows
attackers to read data from the devices remotely and take over
connections. This was discovered by researchers from the German
security company ERNW. They presented their discovery at this year's
edition of the TROOPERS security conference. Millions of devices from
various manufacturers are suspected to be affected; updates to resolve
the problem are not yet available. Nevertheless, the researchers are
reassuring: although attacks are possible, the target group for
attacks is limited.
The vulnerabilities are located in Bluetooth SoC (System-on-Chip) from
the Taiwanese manufacturer Airoha, which is particularly popular for
“True Wireless Stereo” (TWS) headphones. Using Airoha chips, small
in-ear headphones can reproduce stereo sound from playback devices
such as smartphones without latency. Well-known manufacturers such as
Sony, JBL, Marshall, and Bose use it in some cases, but also install
Bluetooth technology from other suppliers.
Airoha has given its Bluetooth chips a self-made protocol that enables
manipulation of the working and flash memory of the devices via radio.
The protocol, which is accessible via Bluetooth Low Energy (BLE) as
well as via “classic” Bluetooth (BD/EDR), is presumably intended for
interaction with manufacturer apps, but was also an invitation for
curious security researchers. They were able to remotely take over
headphones from various manufacturers – without logging into an app or
the usual Bluetooth “pairing”. By gaining full access to the earbuds'
flash and RAM, they were also able to take over the connections to
other devices, such as the actual user's smartphone.
Eavesdropping, memory snooping and information leaks
By accessing the working memory of the Bluetooth chip, the researchers
could initially read out which media the user was currently playing,
such as a podcast or a piece of music. However, this attack is
laborious: as the memory addresses differ from device to device, the
researchers could not simply read out data at random in a crowded bus,
but had to adapt their attack. On Android devices, the experts were
also able to read the phone number of the device and incoming calls,
sometimes even the call history and the phone's address book.
The ENRW researchers were able to read out what music is played on
headphones with an Airoha chipset, here a song by Lady Gaga
(Image: ENRW)
The researchers could take over the connection between the phone and
the headphones by copying the cryptographic key of the Bluetooth
connection from the headphones. Then they have many options – they can
initiate or reject calls, launch voice assistants such as Siri and
Gemini, and eavesdrop on the victim using multiple methods. An
eavesdropping attack converts the headphones into bugs: The attackers
impersonate the connected smartphone to the headphones and redirect
the recorded sound from their microphone. However, as many wireless
earbuds only maintain a connection to a single device, this attack is
easy to detect. The victim suddenly stops hearing music or calls on
their headphones and is likely to quickly become suspicious.
The second method simulates a headset on the phone and tricks it into
making a call to the attackers. If the victim is not paying attention
to their smartphone, the Bluetooth spies can now listen in to
everything that happens within earshot of the device.
Even if these attacks seem frightening on paper, the ERNW researchers
are reassuring: many conditions must be met to carry out an
eavesdropping attack. First and foremost, the attacker(s) must be
within range of the Bluetooth short-range radio; an attack via the
Internet is not possible. They must also carry out several technical
steps without attracting attention. And they must have a reason to
eavesdrop on the Bluetooth connection, which, according to the
discoverers, is only conceivable for a few target people. For example,
celebrities, journalists or diplomats, but also political dissidents
and employees in security-critical companies are possible targets.
Severity of the gaps disputed
There is disagreement between the discoverers and manufacturer Airoha
about the severity of the vulnerabilities. While the former assumes
one critical vulnerability (CVE-2025-20702, CVSS 9.6/10) and two
high-risk vulnerabilities (CVE-2025-20700 and CVE-2025-20701, both
CVSS 8.8/10), Airoha disagrees and argues with the complexity of the
attacks and the lack of impact on the connected cell phone in their
opinion.
Airoha has reserved a total of three CVE IDs for the vulnerabilities:
CVE-2025-20702: CVSS 9.6/10 (risk “critical” disputed, see above):
Critical features of the proprietary Airoha protocol
CVE-2025-20700: CVSS 8.8/10 (risk “high”): Missing authentication for
the GATT service
CVE-2025-20701: CVSS 8.8/10 (risk “high”): Missing authentication for
Bluetooth pairing
Affected: Millions of devices from Sony, JBL, and others
It is unclear how many devices worldwide are affected by the
vulnerability. Attackers could potentially turn millions of devices
into bugs or read their memory. As the researchers emphasize in their
blog article, they have only been able to test a small proportion of
all suspected affected Bluetooth headphone models. However, the
following models are vulnerable in any case, although sometimes only
with some attacks against Airoha chips.
Manufacturer Model
Beyerdynamic Amiron 300
Bose Quiet Comfort Earbuds
earisMax Bluetooth Auracast Sender
Jabra Elite 8 Active
Xiaomi Redmi Buds 5 Pro
Jlab Epic Air Sport ANC
JBL Live Buds 3, Endurance Race 2
Marshall Woburn III, Stanmore III, Acton III, Major IV und V, Minor
IV, Motiv II
MoerLabs EchoBeatz
Sony WH-1000XM{4,5,6}, WF-1000XM{3,4,5}, WH-CH520, WH-CH720N,
WH-XB910N, WI-C100, WF-C510-GFP, WF-C500, Link Buds S, ULT Wear
Teufel Airy TWS 2
The ERNW researchers suspect that over 100 different device types
could be impacted. However, it is not possible for them to make a
comprehensive assessment, as Airoha chips are installed undetected in
many Bluetooth devices. The experts go on to explain that some
manufacturers are not even aware that their devices contain the
Taiwanese manufacturer's chips. They have outsourced some development
to subcontractors. The major manufacturers, Sony, Bose, and JBL have a
combined market share of 20 percent of the 1.4 billion headphones sold
last year, but only a few of their models are vulnerable.
Nevertheless, even if it is only one percent of total sales, this
still amounts to around three million vulnerable devices.
Apple, the top dog among headphone manufacturers with a 22 percent
market share, is not impacted this time (although it had its problems
with its wireless headphones last year). Original AirPods do not
contain Airoha chips, but various replicas from Chinese manufacturers,
which are offered on online marketplaces of varying trustworthiness,
do.
Insufficient response from manufacturers
In their presentation at the TROOPERS security conference, the
discoverers criticized the manufacturer Airoha. Although Airoha
promised on its information page for security researchers to respond
within three to five days and to support PGP-encrypted emails, neither
was the case. Although the security researchers sent detailed
information about the vulnerability to Airoha as early as March 25 of
this year, it took until the end of May — another two months — for the
Taiwanese company to respond. Of the three headphone manufacturers
contacted, only one responded to the security notice. Nevertheless,
one week later, on June 4, 2025, Airoha provided its customers with
updated software development kits (SDK) that corrected the error.
Updates? Unclear
However, it remains unclear whether – and when – Sony, JBL and co.
will fix the vulnerability in firmware updates. During the research
for this article, we checked the headphone models in the overview of
affected devices provided to us by ERNW. We were unable to find any
information on firmware updates for just under half of the devices, as
these are only released to headphone owners via the manufacturer's
app. For all other devices, the latest firmware is dated May 27, 2025,
or older –, i.e., it was released before Airoha updated its SDK. This
means that the bug has probably not yet been fixed on the vast
majority of devices, and is therefore a “zero day”.
The researchers are therefore still holding back on details of the
technical implementation or even a “proof of concept” exploit. These
will follow as soon as manufacturer updates are available, and
headphone owners can protect their devices against Bluetooth attacks.
As a manufacturer's app is usually responsible for a firmware update,
which is rarely or never used in everyday life, it is likely to take a
long time before the bug is fixed. To make matters worse, some device
types may no longer be manufactured and supplied with updates.
(cku)
Don't miss any news – follow us on Facebook, LinkedIn or Mastodon.
This article was originally published in German. It was translated
with technical assistance and editorially reviewed before publication.
Bluetoothヘッドホン(主にAirohaチップ搭載)の未認証脆弱性。日本の主要メーカー製品も対象。未認証攻撃が可能。
■ソース
https://www.heise.de/en/news/Zero-day-Bluetooth-gap-turns-millions-of-headphones-into-listening-stations-10460704.html
■概要
ドイツのセキュリティ企業ERNWが、Airoha製Bluetooth
SoC搭載のTWSヘッドホン等で見つかった深刻なゼロデイ脆弱性を公表。未認証でヘッドホンのメモリや接続を制御できるため、対象機器の遠隔盗聴や情報窃取が可能となる。SonyやJBL等、日本で普及する多数のヘッドホンが影響を受けるが、現時点でPoC未公開かつ攻撃の実用難易度も高いとされる。
■詳細
本脆弱性は、Airoha社のBluetooth
SoC(特にTWSイヤホン等に広く採用)に独自プロトコルが実装されている点に起因しています。BLE(Bluetooth Low
Energy)と“クラシック”Bluetooth
(BD/EDR)を通じて、外部から機器のFlashやRAMに無認証アクセス及び操作が可能であり、ヘッドホンの接続中スマートフォンへの割り込み、盗聴、メモリ読出し(ユーザーが再生している音楽や通話情報、連絡先等)などが実行できます。
具体的な攻撃シナリオは①ヘッドホンとスマホの間でやり取りされるBT暗号鍵を取得・接続制御、②意図的に通話を発生させ、その内容を傍受、③ヘッドホン内蔵マイクを用いた“盗聴器化”等があります。物理範囲としてBluetooth電波内(数m程度)に攻撃者が入る必要はあるものの、端末ユーザーのアクションを必要とせず、未認証で攻撃が完結します。ただしRAMのメモリアドレスがデバイスごとに異なるほか、多段階の技術的工程が必要であり、「すれ違いざまの即時攻撃」等は困難です。
影響範囲として、Sony, JBL, Bose,
Marshallなど世界的・国内的にも普及した主要メーカーの一部機種(型番リストはソース参照)が挙げられています。更に各社のエンタープライズ導入事例もあり、日本国内への波及は大きいと考えられます(Apple純正AirPods系は対象外)。
CVSSスコアは最高9.6(CVE-2025-20702)、重要度はAiroha社と発見者間で評価が分かれる部分もあるものの、3件のCVE(CVE-2025-20702,
CVE-2025-20700, CVE-2025-20701)が割当てられています。
現時点では、ファームウェア・アップデートの提供可否が未定、かつPoCや攻撃手順の詳細公開は控えられている状況です。修正SDKがリリースされたのは2025年6月4日ですが、大半の製品にはまだ修正が反映されていません。
■所感
今回の脆弱性は未認証で攻撃可能、かつ国内外の主要ヘッドホンが対象であるためインパクトは大ですが、“クライアント機器”であること・外部ネット晒しではなくBluetooth電波内への物理接近が必須であること、PoC未公開、即効性攻撃の難しさにより減点。今年発表の深刻なクライアントサイド脆弱性事例として評価できます。一方、キーメーカー(Sony,
JBL, Bose)が複数名指しで挙げられ、その国内影響度やCVE詳細公開、未認証性、たとえば盗聴・情報漏えいリスクへの応用可能性から加点しました。攻撃ベクトルが外部ネットワーク(インターネット)ではなく、主に物理的至近範囲に限定されることも考慮し、評価点は60点(C:虎)とします。
■ソース
https://www.heise.de/en/news/Zero-day-Bluetooth-gap-turns-millions-of-headphones-into-listening-stations-10460704.html
■ソース本文
Zero-day: Bluetooth gap turns millions of headphones into listening stations
A serious security vulnerability in many Bluetooth headphones allows
attackers to read data from the devices remotely and take over
connections. This was discovered by researchers from the German
security company ERNW. They presented their discovery at this year's
edition of the TROOPERS security conference. Millions of devices from
various manufacturers are suspected to be affected; updates to resolve
the problem are not yet available. Nevertheless, the researchers are
reassuring: although attacks are possible, the target group for
attacks is limited.
The vulnerabilities are located in Bluetooth SoC (System-on-Chip) from
the Taiwanese manufacturer Airoha, which is particularly popular for
“True Wireless Stereo” (TWS) headphones. Using Airoha chips, small
in-ear headphones can reproduce stereo sound from playback devices
such as smartphones without latency. Well-known manufacturers such as
Sony, JBL, Marshall, and Bose use it in some cases, but also install
Bluetooth technology from other suppliers.
Airoha has given its Bluetooth chips a self-made protocol that enables
manipulation of the working and flash memory of the devices via radio.
The protocol, which is accessible via Bluetooth Low Energy (BLE) as
well as via “classic” Bluetooth (BD/EDR), is presumably intended for
interaction with manufacturer apps, but was also an invitation for
curious security researchers. They were able to remotely take over
headphones from various manufacturers – without logging into an app or
the usual Bluetooth “pairing”. By gaining full access to the earbuds'
flash and RAM, they were also able to take over the connections to
other devices, such as the actual user's smartphone.
Eavesdropping, memory snooping and information leaks
By accessing the working memory of the Bluetooth chip, the researchers
could initially read out which media the user was currently playing,
such as a podcast or a piece of music. However, this attack is
laborious: as the memory addresses differ from device to device, the
researchers could not simply read out data at random in a crowded bus,
but had to adapt their attack. On Android devices, the experts were
also able to read the phone number of the device and incoming calls,
sometimes even the call history and the phone's address book.
The ENRW researchers were able to read out what music is played on
headphones with an Airoha chipset, here a song by Lady Gaga
(Image: ENRW)
The researchers could take over the connection between the phone and
the headphones by copying the cryptographic key of the Bluetooth
connection from the headphones. Then they have many options – they can
initiate or reject calls, launch voice assistants such as Siri and
Gemini, and eavesdrop on the victim using multiple methods. An
eavesdropping attack converts the headphones into bugs: The attackers
impersonate the connected smartphone to the headphones and redirect
the recorded sound from their microphone. However, as many wireless
earbuds only maintain a connection to a single device, this attack is
easy to detect. The victim suddenly stops hearing music or calls on
their headphones and is likely to quickly become suspicious.
The second method simulates a headset on the phone and tricks it into
making a call to the attackers. If the victim is not paying attention
to their smartphone, the Bluetooth spies can now listen in to
everything that happens within earshot of the device.
Even if these attacks seem frightening on paper, the ERNW researchers
are reassuring: many conditions must be met to carry out an
eavesdropping attack. First and foremost, the attacker(s) must be
within range of the Bluetooth short-range radio; an attack via the
Internet is not possible. They must also carry out several technical
steps without attracting attention. And they must have a reason to
eavesdrop on the Bluetooth connection, which, according to the
discoverers, is only conceivable for a few target people. For example,
celebrities, journalists or diplomats, but also political dissidents
and employees in security-critical companies are possible targets.
Severity of the gaps disputed
There is disagreement between the discoverers and manufacturer Airoha
about the severity of the vulnerabilities. While the former assumes
one critical vulnerability (CVE-2025-20702, CVSS 9.6/10) and two
high-risk vulnerabilities (CVE-2025-20700 and CVE-2025-20701, both
CVSS 8.8/10), Airoha disagrees and argues with the complexity of the
attacks and the lack of impact on the connected cell phone in their
opinion.
Airoha has reserved a total of three CVE IDs for the vulnerabilities:
CVE-2025-20702: CVSS 9.6/10 (risk “critical” disputed, see above):
Critical features of the proprietary Airoha protocol
CVE-2025-20700: CVSS 8.8/10 (risk “high”): Missing authentication for
the GATT service
CVE-2025-20701: CVSS 8.8/10 (risk “high”): Missing authentication for
Bluetooth pairing
Affected: Millions of devices from Sony, JBL, and others
It is unclear how many devices worldwide are affected by the
vulnerability. Attackers could potentially turn millions of devices
into bugs or read their memory. As the researchers emphasize in their
blog article, they have only been able to test a small proportion of
all suspected affected Bluetooth headphone models. However, the
following models are vulnerable in any case, although sometimes only
with some attacks against Airoha chips.
Manufacturer Model
Beyerdynamic Amiron 300
Bose Quiet Comfort Earbuds
earisMax Bluetooth Auracast Sender
Jabra Elite 8 Active
Xiaomi Redmi Buds 5 Pro
Jlab Epic Air Sport ANC
JBL Live Buds 3, Endurance Race 2
Marshall Woburn III, Stanmore III, Acton III, Major IV und V, Minor
IV, Motiv II
MoerLabs EchoBeatz
Sony WH-1000XM{4,5,6}, WF-1000XM{3,4,5}, WH-CH520, WH-CH720N,
WH-XB910N, WI-C100, WF-C510-GFP, WF-C500, Link Buds S, ULT Wear
Teufel Airy TWS 2
The ERNW researchers suspect that over 100 different device types
could be impacted. However, it is not possible for them to make a
comprehensive assessment, as Airoha chips are installed undetected in
many Bluetooth devices. The experts go on to explain that some
manufacturers are not even aware that their devices contain the
Taiwanese manufacturer's chips. They have outsourced some development
to subcontractors. The major manufacturers, Sony, Bose, and JBL have a
combined market share of 20 percent of the 1.4 billion headphones sold
last year, but only a few of their models are vulnerable.
Nevertheless, even if it is only one percent of total sales, this
still amounts to around three million vulnerable devices.
Apple, the top dog among headphone manufacturers with a 22 percent
market share, is not impacted this time (although it had its problems
with its wireless headphones last year). Original AirPods do not
contain Airoha chips, but various replicas from Chinese manufacturers,
which are offered on online marketplaces of varying trustworthiness,
do.
Insufficient response from manufacturers
In their presentation at the TROOPERS security conference, the
discoverers criticized the manufacturer Airoha. Although Airoha
promised on its information page for security researchers to respond
within three to five days and to support PGP-encrypted emails, neither
was the case. Although the security researchers sent detailed
information about the vulnerability to Airoha as early as March 25 of
this year, it took until the end of May — another two months — for the
Taiwanese company to respond. Of the three headphone manufacturers
contacted, only one responded to the security notice. Nevertheless,
one week later, on June 4, 2025, Airoha provided its customers with
updated software development kits (SDK) that corrected the error.
Updates? Unclear
However, it remains unclear whether – and when – Sony, JBL and co.
will fix the vulnerability in firmware updates. During the research
for this article, we checked the headphone models in the overview of
affected devices provided to us by ERNW. We were unable to find any
information on firmware updates for just under half of the devices, as
these are only released to headphone owners via the manufacturer's
app. For all other devices, the latest firmware is dated May 27, 2025,
or older –, i.e., it was released before Airoha updated its SDK. This
means that the bug has probably not yet been fixed on the vast
majority of devices, and is therefore a “zero day”.
The researchers are therefore still holding back on details of the
technical implementation or even a “proof of concept” exploit. These
will follow as soon as manufacturer updates are available, and
headphone owners can protect their devices against Bluetooth attacks.
As a manufacturer's app is usually responsible for a firmware update,
which is rarely or never used in everyday life, it is likely to take a
long time before the bug is fixed. To make matters worse, some device
types may no longer be manufactured and supplied with updates.
(cku)
Don't miss any news – follow us on Facebook, LinkedIn or Mastodon.
This article was originally published in German. It was translated
with technical assistance and editorially reviewed before publication.