Bugs: Earbuds from JBL, Sony, and others found to have bugs that can turn them into spy devices

A report published on June 26 by German security firm Ernw details serious flaws in popular Bluetooth audio chips made by Taiwanese supplier Airoha. The vulnerabilities affect a massive range of products, from flagship noise-canceling headphones like the Sony WH-1000XM series and Bose QuietComfort Earbuds, to devices from Jabra, Beyerdynamic, and JBL.

The core issue lies in unsecured custom protocol. An attacker within Bluetooth range — roughly 10 meters — can access this protocol without needing to pair with an affected device or have any prior authentication. This gives them the ability to read and write to the device's memory and flash storage, effectively gaining complete control.

In a proof-of-concept, researchers demonstrated several alarming attack scenarios. The most severe involves hijacking the trusted connection between the headphones and a smartphone. By extracting the Bluetooth link keys from the headphones, an attacker can impersonate the headset to the phone, then use the Hands-Free Profile (HFP) to control the phone.

While Ernw suspects all devices using affected Airoha chips are vulnerable, it only tested and confirmed its suspicions on select devices, here is the complete list of verified devices:

• Beyerdynamic Amiron 300
• Bose QuietComfort Earbuds
• EarisMax Bluetooth Auracast Sender
• Jabra Elite 8 Active
• JBL Endurance Race 2
• JBL Live Buds 3
• Jlab Epic Air Sport ANC
• Marshall Action III
• Marshall Major V
• Marshall Minor IV
• Marshall Motif II
• Marshall Stanmore III
• Marshall Woburn III
• MoerLabs EchoBeatz
• Sony CH-720N
• Sony Link Buds S
• Sony ULT Wear
• Sony WF-1000XM3
• Sony WF-1000XM4
• Sony WF-1000XM5
• Sony WF-C500
• Sony WF-C510-GFP
• Sony WH-1000XM4
• Sony WH-1000XM5
• Sony WH-1000XM6
• Sony WH-CH520
• Sony WH-XB910N
• Sony WI-C100
• Teufel Tatws2

The researchers stress that for the average consumer, the risk is currently low. Executing such an attack requires significant technical skill and close physical proximity to the target. However, they warn it's a serious threat for high-value targets like journalists, diplomats, or corporate executives.

Airoha provided a patched software development kit (SDK) to manufacturers in the first week of June. However, it is now up to individual brands like Sony and Bose to build and distribute firmware updates for each affected product.

NB: It is almost impractical for Ernw to test all suspected devices, it is largely up to individuals to do their own research on devices they own. The Samsung Galaxy Buds 3 Pro (curr. $189.99 on Amazon) is one of the earbuds that are not impacted.