What we have published

This white paper presents the findings and security vulnerabilities that were identified during our research into Airoha-based Bluetooth headphones and earbuds (CVE-2025-20700, CVE-2025-20701, and CVE-2025-20702). Our research identifies implementation flaws that can allow an attacker within Bluetooth range to bypass any authentication or pairing procedures and gain direct access to a device’s internal memory. Several reputable headphone and earbud vendors have built products based on Airoha’s SoCs and reference implementations using Airoha’s SDK.

The white paper demonstrates that on many of these devices the proprietary RACE protocol is accessible without any authentication or pairing. This lack of authentication provides an unauthenticated attacker within Bluetooth range with powerful capabilities, including:

• Reading Flash/RAM: dump firmware, configuration data, and potentially sensitive memory contents.
• Writing Flash/RAM: gaining arbitrary code execution, effectively taking over the device.
• Extracting Bluetooth Link Keys from the device’s NVDM partition.
• Impersonation: Using extracted Link Keys to impersonate the headphones to a paired smartphone. This grants the attacker access to the Hands-Free Profile (HFP) to, for example, initiate or accept calls, access contact lists, and trigger voice assistants