Your $400 Sony WH-1000XM5 headphones aren’t just playing music—they could be handing hackers the keys to your phone. On December 31, 2025, security researchers at ERNW disclosed three critical vulnerabilities affecting millions of Bluetooth headphones from Sony, Bose, JBL, Marshall, and Jabra. Attackers within Bluetooth range can silently connect to vulnerable headphones, extract cryptographic keys, then hijack your smartphone to access contacts, trigger voice assistants, and eavesdrop via your phone’s microphone.
The vulnerabilities—CVE-2025-20700, CVE-2025-20701, and CVE-2025-20702—stem from a debug protocol called RACE (Remote Access Control Engine) that was left unlocked on production devices. Moreover, researchers demonstrated proof-of-concept attacks that successfully compromised WhatsApp and Amazon accounts. The disclosure is trending on Hacker News with 329 points and 102 comments, and exploit tools are now publicly available.
How the Attack Works
The “Headphone Jacking” attack unfolds in four silent steps. First, an attacker within Bluetooth range—think coffee shops, trains, or office buildings—connects to your headphones via Bluetooth Low Energy. Your music keeps playing. You won’t see a pairing request or hear a beep.
Second, the attacker exploits the RACE protocol, a factory debugging tool that Airoha left exposed on millions of consumer devices. This protocol allows reading and writing to arbitrary locations in the headphones’ flash memory. Consequently, the attacker dumps the firmware, which contains a connection table with paired device information.
Third, buried in that memory dump is the Bluetooth Link Key—the master password that your phone and headphones use to trust each other. Fourth, the attacker’s device spoofs your headphones’ Bluetooth MAC address and uses the stolen Link Key to connect to your phone. Your phone thinks it’s talking to your legitimate headphones. According to ERNW’s full technical disclosure, this enables extracting contacts, triggering Siri or Google Assistant to send messages, hijacking calls, and eavesdropping via your phone’s microphone.
The Unpatchable Problem
Here’s where it gets worse. Airoha released SDK patches to manufacturers in June 2025—six months ago. However, due to the fragmented firmware update ecosystem, millions of devices remain vulnerable. Unlike your smartphone that updates automatically, your $400 headphones require you to manually open the Sony Headphones app or Bose Music app and check for updates. Almost nobody does this.
The vendor response has been equally fragmented. Jabra stands out for transparency, publicly listing affected devices and mentioning CVE numbers in firmware release notes. Meanwhile, Sony released firmware v6.1.0 for the WF-1000XM5 on June 24, 2025, fixing what they vaguely called “a security vulnerability in the Bluetooth function”—but never publicly acknowledged the CVE numbers. Bose? Silence.
This isn’t just a bug. It’s a systemic failure. According to industry reports, IoT malware attacks increased 400% in 2023, and one in three breaches now involves an IoT device. Furthermore, with 18 billion connected IoT devices in 2024, the fragmented update model means vulnerabilities persist for years.
Who’s Affected
If you paid $400 for Sony’s flagship WH-1000XM5 headphones expecting premium security, you got premium vulnerabilities instead. The flaws affect devices powered by Airoha Bluetooth chips. Verified vulnerable devices include Sony WH-1000XM5 and WF-1000XM5 (flagship over-ear and earbuds), Bose QuietComfort Earbuds, JBL Live Buds 3, Marshall MAJOR V and MINOR IV, plus various Jabra, Beyerdynamic, and Teufel models.
This is a textbook supply chain security failure. A single chip manufacturer’s debug protocol flaw cascades to millions of devices from trusted brands. Check your drawer—if you own Sony, Bose, JBL, Marshall, or Jabra headphones bought before mid-2025, there’s a good chance they’re vulnerable.
What You Can Do
First, update your firmware immediately. Open your brand’s app—Sony Headphones, Bose Music, JBL One, or Jabra Sound+—and manually check for updates. Sony WF-1000XM5 users should update to firmware v6.1.0 or later. Set a monthly calendar reminder to check again.
Second, disable Bluetooth when you’re not using it. This closes the attack vector entirely and saves battery as a bonus. Third, delete old Bluetooth pairings you don’t use anymore. Every paired device is a potential attack surface.
Finally, for high-security scenarios, consider switching to wired headphones. ERNW specifically recommends this for journalists, diplomats, and executives. Follow Norton’s Bluetooth security best practices: only enable discoverable mode when pairing, pair in secure locations, and use six-digit random PINs.
The Bigger Picture
The Bluetooth Headphone Jacking vulnerabilities expose a deeper problem: the IoT security ecosystem is fundamentally broken. Vendors prioritize shipping products over implementing automatic security updates. Users are expected to manually check firmware updates on every smart device—headphones, lightbulbs, thermostats, door locks. It’s an impossible expectation.
The industry needs mandatory automatic updates for consumer IoT devices, regulatory requirements for security audits, and supply chain accountability. Until then, your expensive headphones will continue to ship with unlocked debug protocols.
Is wireless convenience worth the security risk? For most people, updating firmware and being mindful of Bluetooth security is enough. Nevertheless, the fact that we’re even asking this question about $400 flagship devices from trusted brands shows how far the industry has fallen.
