This article details security vulnerabilities in Airoha-based Bluetooth headphones that allow attackers to connect without authentication. It discusses three specific CVEs and their implications, including the potential for eavesdropping through compromised devices. Technical details and a verification tool are also provided for further research.