You might be spied on through your bluetooth audio devices, CERT-In warns

CERT-In warns that Airoha-powered Bluetooth earbuds and speakers can be hacked to spy on users, steal call data, and hijack conversations

The Indian Computer Emergency Response Team (CERT-In) has issued a high-severity warning for Bluetooth TWS earbuds, speakers, and headphone users. In a recent alert, CERT-In said that Bluetooth audio devices powered by Airoha systems-on-chip (SoCs) are exposed to the risk of getting hacked and being turned into spying devices. As per the CERT-In advisory, by exploiting this vulnerability, attackers can hijack calls, spy on conversations happening nearby bluetooth devices, steal call history and contacts, and might also be able to completely take over the affected device. 

 

For the unaware, Airoha is a major supplier of Bluetooth audio chipsets (SoCs), widely used in True Wireless Stereo (TWS) earbuds and other audio devices by leading brands including Sony and JBL.

Vulnerable devices

Researchers from German cybersecurity firm ERNW have identified three critical vulnerabilities in Airoha chipsets. Their findings reveal that 29 audio products across 10 brands, including Bose, Sony, JBL, Jabra, Marshall, Beyerdynamic, JLab, EarisMax, MoerLabs, and Teufel, are impacted. The affected devices range from wireless headphones and earbuds to microphones and speakers.

As per the German cybersecurity firm, these devices were confirmed to be vulnerable: 

• Beyerdynamic Amiron 300
• Bose QuietComfort Earbuds
• EarisMax Bluetooth Auracast Sender
• Jabra Elite 8 Active
• JBL Endurance Race 2
• JBL Live Buds 3
• Jlab Epic Air Sport ANC
• Marshall ACTON III
• Marshall MAJOR V
• Marshall MINOR IV
• Marshall MOTIF II
• Marshall STANMORE III
• Marshall WOBURN III
• MoerLabs EchoBeatz
• Sony CH-720N
• Sony Link Buds S
• Sony ULT Wear
• Sony WF-1000XM3
• Sony WF-1000XM4
• Sony WF-1000XM5
• Sony WF-C500
• Sony WF-C510-GFP
• Sony WH-1000XM4
• Sony WH-1000XM5
• Sony WH-1000XM6
• Sony WH-CH520
• Sony WH-XB910N
• Sony WI-C100
• Teufel Tatws2

What risk does the vulnerability pose and what’s the solution

As per CERT-In, multiple vulnerabilities have been reported in Airoha bluetooth firmware, which could allow an attacker within Bluetooth range to read or write device RAM/flash, invoke hands-free profile (HFP) commands on a paired phone, eavesdrop on microphone audio, steal call history and contacts, and potentially deploy wormable firmware. 

 

Airoha has supplied an SDK update containing firmware fixes to all device manufacturers on June 4, CERT-In said. Each company is expected to release product specific firmware updates in their due time. Consumers can keep checking for the updates and install it as soon as it gets released to safeguard themselves against this vulnerability.

 

In related news, earlier in June, CERT-In issued a security advisory for Google Chrome users on Windows, macOS, Linux, and older Android versions. According to the alert, vulnerabilities in these platforms could be exploited by attackers to gain unauthorised access to sensitive data, escalate privileges, or trigger denial-of-service attacks. The warning applies to all smartphones running the affected Android versions, regardless of the manufacturer. Users can safeguard themselves by updating Google Chrome to the latest version immediately.