It turns out that this protocol remains active in serial headphones and does not require authentication. This means that an attacker, being within Bluetooth range, can connect to the headphones without attracting the owner's attention. By gaining access to RACE, the hacker obtains extended rights to control the device.
In their findings, the researchers noted that they were able not only to read and modify data in the headphones' memory but also to obtain information about the content being played. However, the most concerning issue is the lack of a reliable pairing process, which allows an attacker to access the headphones' microphone and thus conduct covert listening. The most dangerous threat identified in the report is called "Headphone Jacking." This exploit allows the extraction of the Bluetooth Link Key — a cryptographic key used for secure connection to a smartphone. With this key, an attacker can impersonate the original headphones and connect to the victim's phone.
Thus, the issue is no longer just about the security of the accessory, but also about the threatening risks to the smartphone. Once access is gained, the hacker can activate the voice assistant, send messages, answer calls, or intercept audio streams without the owner's knowledge. As a result, the phone becomes a surveillance tool. Vulnerabilities have been registered under the identifiers CVE-2025-20700, CVE-2025-20701, and CVE-2025-20702. The researchers confirmed the presence of these vulnerabilities in several popular models, including the flagship Sony WH-1000XM5 and headphones from JBL and Marshall.
However, the complete list of affected devices is not yet known, as Airoha chips are used very widely, and the Bluetooth device ecosystem remains fragmented.
