This article details security vulnerabilities in Airoha-based Bluetooth headphones that allow attackers to connect without authentication. It discusses three specific CVEs and their implications, including the potential for eavesdropping through compromised devices. Technical details and a verification tool are also provided for further research.

Vulnerabilities in a Bluetooth chipset used in 29 audio devices from various vendors can be exploited for eavesdropping and information theft. Researchers disclosed three flaws that allow attackers to hijack connections, initiate calls, and potentially access call history and contacts, although attacks require technical expertise and close physical proximity. Device manufacturers are working on patches, but many affected devices have not yet received updates.

Critical vulnerabilities in the BlueSDK Bluetooth stack could allow remote code execution on millions of vehicles, enabling hackers to gain access to car infotainment systems. The PerfektBlue attack can track locations, record audio, and potentially control vehicle functions by exploiting these flaws.