Key Takeaways
1. Critical vulnerabilities exist in Bluetooth audio chips from Airoha, affecting various well-known brands like Sony and Bose.
2. An unsecured custom protocol allows nearby attackers to access devices without pairing or authentication, enabling full control.
3. Demonstrated proof-of-concept attacks show that attackers can hijack connections between headphones and smartphones.
4. Immediate risk to average consumers is low, but high-profile individuals may be significantly endangered.
5. Airoha has released a patched SDK, but it is up to individual brands to implement and distribute firmware updates for affected products.
A report released on June 26 by the German security company Ernw highlights critical vulnerabilities in widely-used Bluetooth audio chips from the Taiwanese supplier Airoha. These issues affect a wide array of products, ranging from high-end noise-canceling headphones like the Sony WH-1000XM series and Bose QuietComfort Earbuds to offerings from Jabra, Beyerdynamic, and JBL.
Major Security Concerns
The primary problem stems from an unsecured custom protocol. An attacker positioned within Bluetooth range—approximately 10 meters—can exploit this protocol without needing to pair with the targeted device or having any prior authentication. This access allows them to read and write to the device’s memory and flash storage, effectively seizing complete control.
Proof-of-Concept Attacks
In a demonstration, researchers revealed several concerning attack scenarios. The most severe one involves taking over the trusted connection between headphones and a smartphone. By extracting Bluetooth link keys from the headphones, an attacker can mimic the headset to the phone and then use the Hands-Free Profile (HFP) to manipulate the phone.
Although Ernw believes that all devices utilizing the affected Airoha chips are at risk, it has only tested and confirmed this on a select group of devices. Below is the full list of verified devices:
The researchers emphasize that, for the average consumer, the immediate risk is minimal. Carrying out such an attack demands substantial technical expertise and close physical proximity to the target. Nonetheless, they caution that this poses a significant threat to high-profile individuals such as journalists, diplomats, and corporate leaders.
Manufacturer Response
Airoha released a patched software development kit (SDK) to manufacturers in the first week of June. However, it is now the responsibility of individual brands like Sony and Bose to create and distribute firmware updates for each affected product.
It is nearly impossible for Ernw to examine every suspected device, so individuals must take it upon themselves to research the products they own. The Samsung Galaxy Buds 3 Pro (currently priced at $189.99 on Amazon) is one example of earbuds that remain unaffected.
Source:
Link
Leave a Reply