Critical Airoha Bluetooth Flaws Turn Earbuds into Spy Devices Despite Patches

A new set of vulnerabilities in widely-used Airoha Bluetooth chips has exposed millions of wireless earbuds and headphones to potential eavesdropping attacks, with researchers warning that complete mitigation remains challenging even after patches are applied. The flaws, discovered by a team of security researchers, affect the audio streaming protocols in chips used by several major audio equipment manufacturers.

The vulnerabilities allow attackers within Bluetooth range (typically 10-30 meters) to hijack the device's microphone functionality and silently intercept audio streams. What makes these flaws particularly concerning is their persistence - while manufacturers have released firmware updates, researchers found that many devices remain vulnerable due to incomplete patch implementations and the complex nature of Bluetooth protocol stacks.

Technical analysis reveals three primary attack vectors:

The attack requires no physical access to the target device and leaves minimal forensic traces. Researchers demonstrated that an attacker could capture sensitive conversations, authentication credentials spoken to voice assistants, or other private audio data.

This discovery follows similar Bluetooth-related vulnerabilities in other IoT devices, including recent demonstrations of vehicle system compromises through Bluetooth interfaces. The pattern highlights systemic challenges in securing wireless audio protocols against increasingly sophisticated attacks.

Security professionals should note that while consumer risk depends on proximity to potential attackers, the corporate implications are significant. Many employees use wireless earbuds in office environments where sensitive discussions occur, creating potential enterprise security exposures.

Manufacturers are advising users to apply available firmware updates, disable Bluetooth when not in use, and monitor device behavior for signs of unauthorized access. However, researchers emphasize that complete protection may require hardware revisions in some cases, suggesting this vulnerability class could persist in certain devices for their entire operational lifespan.