During our research we discovered three vulnerabilities (CVE-2025-20700, CVE-2025-20701, CVE-2025-20702) in popular Bluetooth audio chips developed by Airoha. These chips are used by many popular device manufacturers in numerous Bluetooth headphones and earbuds.

The identified vulnerabilities may allow a complete device compromise. We demonstrate the immediate impact using a pair of current-generation headphones. We also demonstrate how a compromised Bluetooth peripheral can be abused to attack paired devices, like smartphones, due to their trust relationship with the peripheral.

Examples of affected vendors and devices are Sony (e.g., WH1000-XM5, WH1000-XM6, WF-1000XM5), Marshall (e.g. Major V, Minor IV), Beyerdynamic (e.g. AMIRON 300), or Jabra (e.g. Elite 8 Active).

I remember tinkering with crafted Bluetooth requests to make a Nokia 8290 zero click dial a toll number. It's surprising how unprotected from a security perspective, the bt stack is.

1. If the bt radio is powered, it is possible to find and identify it even with it's beacon turned off.

2. With the advent of BLE there is no doubt about #1.

3. Both BT and Cell chipsets contain dozens of undocumented vendor specific and ubiquitous but underdocumented modem commands.

You can STILL use Bluetooth pairing spam to force an adversary to either be ddossed by pairing requests or approve pairing. Then use voice activation hooks to open voice typing and take a transcribed stream from an ostensible keyboard input.