Full Report
Vulnerabilities affecting a Bluetooth chipset present in more than two dozen audio devices from ten vendors can be exploited for eavesdropping or stealing sensitive information. [...]
Analysis Summary
# Vulnerability: Bluetooth Flaws Allowing Eavesdropping and Potential RCE
## CVE Details
* **CVE ID:** Not explicitly provided in the summary text.
* **CVSS Score:** Not explicitly provided in the summary text. Context implies High severity due to eavesdropping and RCE potential.
* **CWE:** Not specified.
## Affected Systems
* **Products:** Devices utilizing Bluetooth components manufactured with the vulnerable Airoha SDK (likely including headphones and related peripherals).
* **Versions:** Devices running firmware updates older than May 27, as this predates Airoha's delivery of mitigation-incorporated SDKs.
* **Configurations:** Bluetooth-enabled devices integrating the vulnerable Airoha component.
## Vulnerability Description
Security researchers (ERNW) discovered flaws in Bluetooth implementations relying on the Airoha SDK. Attackers, through proximity and technical sophistication, could hijack headphones, impersonate them to the host device (e.g., a smartphone), and subsequently gain access to sensitive information like call history and contacts. Critically, successful exploitation also allowed the attacker to initiate calls and **eavesdrop on conversations/sounds** via the microphone. Furthermore, the vulnerability might allow rewriting the device firmware, leading to **Remote Code Execution (RCE)**, which could facilitate a wormable exploit.
## Exploitation
* **Status:** Theoretical/Proof-of-Concept demonstration by researchers. Not explicitly confirmed as "exploited in the wild" at scale.
* **Complexity:** High (Requires technical sophistication and physical proximity).
* **Attack Vector:** Adjacent (Near physical proximity required for Bluetooth attacks).
## Impact
* **Confidentiality:** High (Access to contacts, call history, and live eavesdropping possible).
* **Integrity:** High (Potential for firmware rewrite/RCE).
* **Availability:** Low/Medium (Potential for denial of service through firmware manipulation, but primary impact is confidentiality/integrity).
## Remediation
### Patches
* Airoha has released an updated SDK incorporating necessary mitigations.
* Device manufacturers have started patch development and distribution based on the updated SDK. **Users should check for firmware updates specific to their device model.**
### Workarounds
* No specific, universally applicable software workarounds are detailed, other than applying vendor patches. The constraints imposed by distance and technical skill limit large-scale risk, but patching is crucial for high-value targets.
## Detection
* **Indicators of Compromise:** Unexpected outbound calls from the device, unexplained access to contact lists, or unusual microphone activity reported by system logs (if available).
* **Detection Methods and Tools:** Standard network monitoring tools may not easily detect these localized Bluetooth manipulation attempts. Relying on updated vendor firmware is the primary defense mechanism.
## References
* Vendor advisories regarding Airoha SDK updates.
* Heise article (defanged): hxxps://www[.]heise[.]de/en/news/Zero-day-Bluetooth-gap-turns-millions-of-headphones-into-listening-stations-10460704.html