This article details security vulnerabilities in Airoha-based Bluetooth headphones that allow attackers to connect without authentication. It discusses three specific CVEs and their implications, including the potential for eavesdropping through compromised devices. Technical details and a verification tool are also provided for further research.

Vulnerabilities in a Bluetooth chipset used in 29 audio devices from various vendors can be exploited for eavesdropping and information theft. Researchers disclosed three flaws that allow attackers to hijack connections, initiate calls, and potentially access call history and contacts, although attacks require technical expertise and close physical proximity. Device manufacturers are working on patches, but many affected devices have not yet received updates.