Eargapping: A Key to Your Phone (39c3)
In their 39c3 talk, Dennis Heinze and Frieder Steinmetz examine Airoha Bluetooth system-on-chip designs that power many headphones and TWS earbuds. They report three vulnerabilities (CVE-2025-20700, CVE-2025-20701, CVE-2025-20702) and show that, under the right conditions, these flaws can lead to a full compromise of a headset. The larger point is that Bluetooth security is only as strong as the peripherals we trust.
Watch the talk
The core technical issue
A central finding is Airoha’s proprietary “RACE” protocol. While it appears intended for diagnostics and engineering control, it provides unusually powerful access, including read and write access to both RAM and flash. That capability makes firmware modification possible and turns a headset into a reprogrammable embedded system rather than a passive accessory.
Why it matters to phones
Bluetooth relies on trust between phones and paired peripherals. If a headset is compromised, that trust can be abused. The talk discusses how attackers could steal Bluetooth link keys to impersonate devices or use a headset as a foothold to probe or manipulate a paired handset. In short, a hacked peripheral can become a pivot point into a phone.
Disclosure and patching
The Bluetooth accessory ecosystem is fragmented. Many brands rely on the same chipsets and reference designs, so a single flaw can cascade across multiple products. The presenters highlight uneven patching and communication, and argue for clearer user guidance around updates and device security status.
Third-party summary of possible abuses (paraphrased from the linked quote)
- connect to headphones over this protocol without pairing
- read “now playing” metadata
- tap the audio stream and eavesdrop
- read the paired phone number
- brick the headphones
- extract the pairing key and impersonate the headset
If an attacker can impersonate a trusted headset, the downstream abuse could include:
- issuing voice assistant commands remotely
- placing and controlling calls while the phone stays in a pocket
- eavesdropping via the phone microphone by forcing a call and dropping Bluetooth
- taking over WhatsApp by intercepting a phone-call verification code
- taking over Amazon accounts that rely on phone-number login and WhatsApp codes