Glad this submission is finally receiving upvotes.
This was just shown at the 39C3 in Hamburg, few days back.
Common (unpached) Bluetooth headsets using Airoha's SoCs can be completely taken over by any unauthenticated bystander with a Linux laptop. (CVE-2025-20700, CVE-2025-20701, CVE-2025-20702)
This includes firmware dumps, user preferences, Bluetooth Classic session keys, current playing track, ...
> Examples of affected vendors and devices are Sony (e.g., WH1000-XM5, WH1000-XM6, WF-1000XM5), Marshall (e.g. Major V, Minor IV), Beyerdynamic (e.g. AMIRON 300), or Jabra (e.g. Elite 8 Active).
Most vendors gave the security researchers either silent treatment or were slow, even after Airoha published fixes. Jabra was one of the positive outlier, Sony unfortunately negatively.
What is exciting, even though the flaws are awful, that it is unlikely for current generation of those Airoha bluetooth headsets to change away from Aiorha's Bluetooth LE "RACE" protocol. This means there is great opportunity for Linux users to control their Bluetooth headsets, which for example is quite nice in an office setting to toggle "hearthrough" when toggling volume "mute" on your machine.
I feel like this should receive state-level attention, the remote audio surveillance of any headset can be a major threat. I wonder what the policies in countries official buildings are when it comes to Bluetooth audio devices, considering that Jabra is a major brand for conference speakers, I'd assume some actual espionage threats.
One of the researchers here.
Many people seem to prefer text to videos, which I sympathize with.
So please excuse me hijacking the top comment with links to our blog post and white paper:
Did you look into whether the spoofed device can also be "upgraded" to be used as an HID device, like a mouse or keyboard? That upgrade would be several CVEs against the OS vendors.
That would make the attacks potentially silent, since the attacked could simulate keypresses to dismiss notifications, or can at least keep the target unable to respond by spamming home/back or pressing power and simulating a swipe to shutdown.
Kamala Harris, citing seemingly classified intelligence, famously raised the alarm on Bluetooth earphones to Stephen Colbert:
“I know I've been teased about this, but I like these kinds of earpods that have the thing [pointing to the wire] because I served on the Senate Intelligence Committee. I have been in classified briefings, and I'm telling you, don't be on the train using your earpods thinking somebody can't listen to your conversation.”
I doubt this was ever classified information. It's written all over DoD and NSA requirements and best practices for staff and diplomats.
She was probably briefed repeatedly about this as a member of that committee.
Here's one example:
> Headphones are wired headphones (i.e. not wireless) which can be plugged into a computing device to listen to audio media (e.g. music, Defense Collaboration Services, etc.).[0]
> This means there is great opportunity for Linux users to control their Bluetooth headsets, which for example is quite nice in an office setting to toggle "hearthrough" when toggling volume "mute" on your machine.
Fun fact: There are at least two applications that reverse engineered AirPods' communication protocol for custom controls - AndroPods from 2020 [1] and LibrePods from 2024 [2].
But... mainstream Android has a bug open in their Bluetooth stack for well over a year now that prevents issuing the commands, meaning to actually use the app you need root rights [3].
Is this an unintentional vulnerability or is it one of those "we left it open because it's easier and we hoped nobody would notice" kind of things. I mean can you just send a "update to this firmware" command completely unauthenticated and it's like "yep sure"? No signing or anything?
IMO, it's plausible that Airoha and the OEMs did not know about this. The tooling may have been written in a pseudo-secure manner, i.e. requiring pairing (on the client side) before attempting all the debugging/firmware update commands. The tools may simply assume that pairing is required or only list targets from those that are paired and connected, which gives the illusion that the air protocol requires this.
All it really takes is some engineer missing an if-statement to check that the connection is bonded before processing the packets.
According to the details in their whitepaper, firmware is signed, but the management protocol allows reading arbitrary memory, so you can read out the keys and sign your own payload.
I'm not sure anyone intentionally did this, but there were several poor decisions involved. It sounds like the upstream vendor shipped sample code without auth, assuming implementers would know they needed to secure a privileged device management interface, and said implementers just copied the sample and shipped it.
> Most vendors gave the security researchers either silent treatment or were slow, even after Airoha published fixes. Jabra was one of the positive outlier, Sony unfortunately negatively.
While I don't recall Sony issuing an advisory, I believe the users of their app would have started getting update notifications since they (quietly) released firmware updates.
> This means there is great opportunity for Linux users to control their Bluetooth headsets, which for example is quite nice in an office setting to toggle "hearthrough" when toggling volume "mute" on your machine.
I think most vendors are using custom services with their own UUIDs for settings such as this.
Regardless, I believe there are open client implementations for some of the more popular devices. Gadgetbridge comes to mind in regards to Android, not sure about any Linux equivalent.
These (and others?) actually have a wired option (even provide the cable) for listening. Sadly the built-in microphone doesn't work in 'wired mode' (though ANC does).
You could get at at "cable boom microphone", e.g.:
They also demonstrated how this could be used to silently find out someone’s phone number and then hijack a TFA validation call from an app like WhatsApp to take over their account with no user interaction.
the session (or pairing key) means you can both connect to the headphone or impersonate it.
It can toggle the hands-free mode and listen to whatever is being talked, you'd notice that it has switched to the mode though - but if you're headphones are powered on and you're not listening to in they can be used for eavesdropping.
During the talk they both demonstrate listening to the microphone and also receiving a WhatsApp 2FA call.
Remote audio surveillance probably be accomplished on wired headphones with TEMPEST [0]/Van Eck phreaking [1]. Not sure about which has a better range and which would be stealthier - TEMPEST or the Bluetooth attack. The Bluetooth attack just requires a laptop. Not sure if the TEMPEST attack would require a big antenna.
Even if the TEMPEST were easier, it's significantly less powerful, as it's not going to get you the ability to write malicious firmware to the audio device nor a persistent connection to the host device when the audio device isn't connected.
I doubt that audio-spectrum RF/magnetic frequencies emanate strongly from wired headphones. They are simply not a long enough antenna at 200-3,000 Hz. Also, the loop area is quite low. The ground wire runs parallel to the L/R wires, so the only loop to receive is the magnetic coils in the headphones, which are small. Only near field would work, IMO.
And everyone got mad at OpenBSD for refusing to develop bluetooth.
It’s a messy standard and we shouldn’t be surprised that the race to the bottom has left some major gaps.. though Sony WH1000’s are premium tier hardware and they have no real excuses..
I always wondered how people could justify the growth of the bluetooth headphone market in such a way.. Everyone seems to use bluetooth headphones exclusively (in Sweden at least), I’m guilty of buying into it too (I own both Airpods Pro’s and the affected Sony WH1000-XM5) but part of me has always known that bluetooth is just hacks on hacks… I allowed myself to be persuaded due to popularity. Scary.
I was also trying to debug bluetooth “glitching audio” issues and tried to figure out signal strength as the first troubleshooting step: I discovered that people don’t even expose signal strength anymore… the introspection into what’s happening extends literally nowhere, including not showing signal strength… truly, the whole thing is cursed and I’m shocked it works for the masses the way it does.. can you imagine not displaying wifi signal strength?
This is not a Bluetooth issue. The chip manufacturer Airoha just felt it acceptable to ship a wireless debug interface that allows reading the SoC memory with no authentication whatsoever, enabled in retail customer builds. They are just not a serious company (which is why their security email didn't work, either).
> part of me has always known that bluetooth is just hacks on hacks… I allowed myself to be persuaded due to popularity. Scary.
Is it scary? Bluetooth is wildly convenient, and mostly works most of the time. There are definite software issues, and there are security issues, but for most of us, we're not going to run into them that often. (Well, ok - maybe not for most of the people on this site.)
I'm going to continue using my bluetooth headphones, because the odds of a nefarious hacker with a linux laptop attacking me directly are wildly low. In terms of security, my time & money would be better spent buying a steering0-wheel-lock-bar for my car, or a mechanical timer that will turn the lights on & off in my house randomly at night.
Sometimes plugging a cord is a minor inconvenience.
But sometimes it's a large inconvenience
Example: if I'm using my laptop for work but at a slightly longer distance (think, using external monitor/keyboard) then it gets annoying (cord has to hang from the connection, or it gets between you and the keyboard, etc)
You can't read English like if it was a declarative logical language. It is obviously an hyperbole to say "everyone". It means "a lot of people". So why they didn't say "a lot of people"? Language uses hyperboles to make a point stronger.
Qualcomm kind of does this with their XPAN extension, sends the audio over local network. I believe it's mostly a proprietary solution though, so I haven't seen any serious attempts to re-implement it yet.
I didn't see a summary in here so based on my reading:
* Certain headset devices from varying vendors have crappy BT security over both bluetooth classic and BLE
* They implement a custom protocol called RACE which can do certain things with no authentication at all
* One of the things RACE lets you do is read arbitrary memory and exfiltrate keys needed to impersonate the vulnerable device with your already-paired phone
* Once you're impersonating the vulnerable device you can do all sorts of things on the paired phone like place/accept calls, listen on the microphone, etc.
This is pretty bad and you can easily see this being used to bypass other layers of auth like SMS verification or "have a robot call me and read me a code." It also makes me wonder if a spoofed device could appear as a HID device (e.g. a keyboard), but it's unclear whether the link key compromise works for new device classes.
So the way to mitigate this is to be certain you don't have one of the vulnerable peripherals or to disable BT. Note that the list of device models sounds *far* from complete because it's a chipset issue. Which makes me wonder if there are cars out there using this chipset and exposing the same vulns. I'd be very interested if anyone has a source on whether any cars use these chipsets.
I don't have time right now to watch the video and will be coming back to do so later, but here's a couple of snippets from the text on that page that made me want to bother watching (either they're overhyping it, or it sounds interesting and significant)
> The identified vulnerabilities may allow a complete device compromise. We demonstrate the immediate impact using a pair of current-generation headphones. We also demonstrate how a compromised Bluetooth peripheral can be abused to attack paired devices, like smartphones, due to their trust relationship with the peripheral.
> This presentation will give an overview over the vulnerabilities and a demonstration and discussion of their impact. We also generalize these findings and discuss the impact of compromised Bluetooth peripherals in general. At the end, we briefly discuss the difficulties in the disclosure and patching process. Along with the talk, we will release tooling for users to check whether their devices are affected and for other researchers to continue looking into Airoha-based devices.
[...]
> It is important that headphone users are aware of the issues. In our opinion, some of the device manufacturers have done a bad job of informing their users about the potential threats and the available security updates. We also want to provide the technical details to understand the issues and enable other researchers to continue working with the platform. With the protocol it is possible to read and write firmware. This opens up the possibility to patch and potentially customize the firmware.
> Step 1: Connect (CVE-20700/20701) The attacker is in physical proximity and silently connects to a pair of headphones via BLE or Classic Bluetooth.
> Step 2: Exfiltrate (CVE-20702) Using the unauthenticated connection, the attacker uses the RACE protocol to (partially) dump the flash memory of the headphones.
> Step 3: Extract Inside that memory dump resides a connection table. This table includes the names and addresses of paired devices. More importantly, it also contains the Bluetooth Link Key. This is the cryptographic secret that a phone and headphones use to recognize and trust each other.
> Note: Once the attacker has this key, they no longer need access to the headphones.
> Step 4: Impersonate The attacker’s device now connects to the targets phone, pretending to be the trusted headphones. This involves spoofing the headphones Bluetooth address and using the extracted link-key.
> Once connected to the phone the attacker can proceed to interact with it from the privileged position of a trusted peripheral.
The most frustrating part is when Apple dropped the jack we laughed at the "courage" bit, Apple's given reasons where already seen as bullshit, Samsung had their finger pointing moment.
And it just went on, Apple weathered the critics, the other makers also dropped it, and at some point there was just nowhere to go for anyone still wanted a 3.5 jack with a decent phone.
I agree the loss of the 3.5mm jack is a short-sighted and poor decision. There is at least one mitigation, which is the ability to recover the jack through a USB-C DAC. Apple sells them for USD10. I have several, in the car and in my backpack.
It's not a good solution though. In particular I find the USB-C port gets worn out pretty quickly. Its also easy to lose the dongle and of course it's more complicated to setup. (I'm not sure how to articulate the "it's more complicated" part. Adding the dongle elevates the action of "plug in headphones" from something you can do without attention to something that requires attention, and I don't like that.)
They’re just responding to the market. The vast majority of people don’t care about this. Personally, I’d rather have two minutes more battery life than a headphone jack.
It’s annoying to have non-mainstream preferences in an area where economies of scale mean every product needs to have mass market appeal. But you might as well complain about the tide coming in.
This has been a lie since day one. The Sony Xperia line has been waterproof for over 10 years and continues to have a headphone jack and an SD card slot. That with their minimal Android tweaks is the main reason to even consider their phones.
The official reason was, famously and ridiculously, "courage". Apple further explained that space is at a premium, listed the many things competing for that space, and noted that a large, single-purpose legacy connector no longer made sense.
A lot of Apple's strategic choices are driven by products that take 5, 10, or sometimes 20 years to realize. For example, the forthcoming foldable iPhone (and the proving ground for many related decisions, the iPhone Air) was on roadmaps literally a decade before a decision like this reverberates through released products.
Putting a high-quality DAC in a dongle wasn't a terrible solution (many phones with analog jacks have poor ones), and today hundreds of headphones¹ courageously have native USB-C support.
I just don’t know a single real person that still wants to use wired earphones with their phone. To me it’s the same as complaining that an artist only has CDs, not records.
I want to use the extremely simple and reliable direct interface and inexpensive cheap earphones and patch cables that I can buy in any reasonable electronics store for low markup. They are all passive components.
Adding an external sound card introduces variables outside of manufacture control, the quality, latency, and drive power all at the mercy of some random integrator.
My phone is easily thick enough to accommodate a 3.5mm port, and it can't be that difficult to waterproof such a jack, which should also make reasonable cleaning easy if it's ever required.
The security, performance, usability and reliability of wired headphones will always be superior to wireless. There is just no substitute for the simplicity of an uninterrupted piece of copper carrying an analog signal. The convenience of having no wires simply isn't worth the downgrade in these other aspects.
Haven't watched the video yet, but I think this capability was leaked by VP Kamala Harris during her recent interview with the Late Night Show [0]. She stated she doesn't use wireless headphones because she's been in security meetings and knows they're not safe.
You also don't need to be in classified meetings to understand that Bluetooth/ BLE (and specifically the way most vendors implement the spec) is not as secure as other more battle-tested technologies
What she says isn't necessary untrue, now is it? She just skips a lot of steps most people have no clue about.
I had files in a cabinet, now they are digital. And most often also on a cloud drive, which is metaphysical in some sense. For most it is indistinguishable from magic.
It isn't about trust. There's no need to trust Kamala Harris in order to heed "wireless headphones probably have a legitimate security risk." And we know that even if she's a complete moron in this topic area, she's advised by people who should know. Even if you put no stock in her opinion, there is zero security downside (and an awful lot of common sense benefit) to additional caution.
Even before this report, I had a vague feeling that there were probably some security issues with BT headsets, and now it's confirmed in a very concrete way. So whether she is stupid or not, Kamala was right about this.
I think many people would be justified in making the argument that bluetooth has existed for at least 20 years and thus is the established battle tested protocol.
There hasn't been a POTUS or VPOTUS with a technical background in the last 45 years (Jimmy Carter was a nuclear engineer). So obviously none of them would be authoritative on such topics.
However the individual in question is not delusional or conspiratorial, and we know for sure that they are receiving advice or restrictions from extremely well-informed sources, so there's every reason to believe they are (lo-fi) repeating that.
Regular Bluetooth security is not that great. A lot of it is poor usability where the user can't easily know that they don't have a secure connection. Setting up a secure connection might involve entering a PIN on each end of the connection which might be challenging for something like a pair of earbuds. This contains a nice discussion of the issues and talks about active attacks:
I guess what she was trying to say is "Anything wireless is bad in term of security". We don't really know whether the bad guy already has technology to decode wireless protocol we are going to use, so it's best to assume they already have and reduce the attack surface for them.
There is little encryption being done by bluetooth, while wifi, many layers add their own encryption to the data.
I think the policy Harris is referring to is based on the _risk_ of something like this - it is easy to imagine wireless devices being vulnerable and enabling this capability - rather than being based on definitive existence of this capability.
The government also doesn't let people conduct sensitive or classified conversations over un-certified protocols or devices. Unless the NSA was participating in the bluetooth encryption standards decisions they aren't going to allow those devices to be used by the President or VP. IMHO though, it's probably more that there were security trade-offs made when developing the standards and the government isn't OK with those types of trade-offs. It doesn't mean they're horrible, just that they aren't verified to be secure enough for sensitive governmental purposes.
I couldn't find anything from Sony confirming that these specific vulnerabilities had been patched, so i tried to reproduce the steps from the whitepaper using nRF Connect [1] with my Sony WH-1000XM4 on the latest firmware version.
There was no response to the Get Build Version command, and the Read Flash command returned an error. So tentatively (with false negatives possible), it seems to have been patched on Sony devices. I don't have a linux box with bluetooth handy ATM so I didn't try using the race-toolkit directly.
Most audiophiles ignore bluetooth headphones due to sound quality + latency, so we (audiophiles) stick to wired at home and we also have dedicated headphone amps since the pissy sound card D/A convertors are incredibly bad. Bluetooth only when I’m doing yard work. Sadly, modern music is tuned to crappy headphones, crappy car systems, crappy speakers … I miss the 80’s audiophile obsession, the equipment had heart, and mixing and mastering was generations ahead of current (mainstream) music production.
- Apple has a lossless codec for wireless, ALAC that can do up to 24bit/192khz
- aptX can do 44/16 in other devices, Sony has LDAC at 24/96 too
- latency under <100ms is meaningless for pure audio listening, video players have latency compensation
We have amazing technology available today, at prices and quality unimaginable in the 80s. A $50 in-ear from a chinese hi-fi brand can give you an audio experience you couldn’t buy for thousands of dollars a decade ago. And there’s more and more analog hardware being designed and built as technology costs have fallen. You’re really missing out if you think things were better back then.
From a security point of view music listening is quite marginal, I think. The vulnerable headsets make conversations trivial to eavesdrop.
Average communication input is in a noisy environment (colleagues, family, wind, equipment, car), and is compressed both in the dynamic range and bitrate sense before sending out. The transport medium then provides latency and packet loss. The fidelity of the audio equipment on the receiving side plays very little role. I imagine even audiophiles quite readily use even below mid-range wireless headsets for conversations, just because they are more convenient.
In other words, I don't take calls on my wired AKG headphones, even though my phone has a 3.5mm jack. I'm particularly fond of my €30 in-ear BT headset that provides good enough input and output even when I'm biking. I can't be bothered to check if the model is on the vulnerable devices list, the phone company / Meta / Alphabet / some governments and so on can surveil my communications anyway. Adding a random passer-by to the mix does not meaningfully increase the attack surface. Plus they might get to listen to awesome music, if I'm not on a call.
"Sound quality" is a theoretical goal which can't be achieved in practice unless you listen in a perfectly quiet room. Your audiophile open-back headphones can't achieve their rated sound quality if eg there's a CPU fan in the room, or if you're wearing glasses, or if your head just doesn't fit the headphones the same way as the tester's dummy head mic did.
I think many still recognise the train, car, going for a run / cycle, gym… isn’t an optimum listening environment and the convenience significantly outweighs AQ in a lot of situations.
I'm really enjoying my Focal Bathys Bluetooth headphones! Sure, wired options will always be better, but when I want convenience, I've been really impressed with these!
Readit News
This was just shown at the 39C3 in Hamburg, few days back.
Common (unpached) Bluetooth headsets using Airoha's SoCs can be completely taken over by any unauthenticated bystander with a Linux laptop. (CVE-2025-20700, CVE-2025-20701, CVE-2025-20702)
This includes firmware dumps, user preferences, Bluetooth Classic session keys, current playing track, ...
> Examples of affected vendors and devices are Sony (e.g., WH1000-XM5, WH1000-XM6, WF-1000XM5), Marshall (e.g. Major V, Minor IV), Beyerdynamic (e.g. AMIRON 300), or Jabra (e.g. Elite 8 Active).
Most vendors gave the security researchers either silent treatment or were slow, even after Airoha published fixes. Jabra was one of the positive outlier, Sony unfortunately negatively.
What is exciting, even though the flaws are awful, that it is unlikely for current generation of those Airoha bluetooth headsets to change away from Aiorha's Bluetooth LE "RACE" protocol. This means there is great opportunity for Linux users to control their Bluetooth headsets, which for example is quite nice in an office setting to toggle "hearthrough" when toggling volume "mute" on your machine.
RACE Reverse Engineered - CLI Tool: https://github.com/auracast-research/race-toolkit
I feel like this should receive state-level attention, the remote audio surveillance of any headset can be a major threat. I wonder what the policies in countries official buildings are when it comes to Bluetooth audio devices, considering that Jabra is a major brand for conference speakers, I'd assume some actual espionage threats.
Blog: https://insinuator.net/2025/12/bluetooth-headphone-jacking-f...
Paper: https://ernw.de/en/publications.html
That would make the attacks potentially silent, since the attacked could simulate keypresses to dismiss notifications, or can at least keep the target unable to respond by spamming home/back or pressing power and simulating a swipe to shutdown.
Deleted Comment
“I know I've been teased about this, but I like these kinds of earpods that have the thing [pointing to the wire] because I served on the Senate Intelligence Committee. I have been in classified briefings, and I'm telling you, don't be on the train using your earpods thinking somebody can't listen to your conversation.”
https://www.aol.com/kamala-harris-warns-against-wireless-150...
She was probably briefed repeatedly about this as a member of that committee.
Here's one example:
> Headphones are wired headphones (i.e. not wireless) which can be plugged into a computing device to listen to audio media (e.g. music, Defense Collaboration Services, etc.).[0]
[0]: https://dl.dod.cyber.mil/wp-content/uploads/stigs/pdf/2016-0...
Fun fact: There are at least two applications that reverse engineered AirPods' communication protocol for custom controls - AndroPods from 2020 [1] and LibrePods from 2024 [2].
But... mainstream Android has a bug open in their Bluetooth stack for well over a year now that prevents issuing the commands, meaning to actually use the app you need root rights [3].
[1] https://play.google.com/store/apps/details?id=pro.vitalii.an...
[2] https://github.com/kavishdevar/librepods/tree/main
[3] https://issuetracker.google.com/issues/371713238
All it really takes is some engineer missing an if-statement to check that the connection is bonded before processing the packets.
I'm not sure anyone intentionally did this, but there were several poor decisions involved. It sounds like the upstream vendor shipped sample code without auth, assuming implementers would know they needed to secure a privileged device management interface, and said implementers just copied the sample and shipped it.
While I don't recall Sony issuing an advisory, I believe the users of their app would have started getting update notifications since they (quietly) released firmware updates.
> This means there is great opportunity for Linux users to control their Bluetooth headsets, which for example is quite nice in an office setting to toggle "hearthrough" when toggling volume "mute" on your machine.
I think most vendors are using custom services with their own UUIDs for settings such as this.
Regardless, I believe there are open client implementations for some of the more popular devices. Gadgetbridge comes to mind in regards to Android, not sure about any Linux equivalent.
Speaking for myself, I have very little patience for technical videos, so I don't believe I've ever upvoted a YouTube submission.
One second thought I think this is called a transcript...
---
Edit: Auto-Transcript! (No timestamps, sorry)
https://jsbin.com/jiqihuveci/edit?html,output
These (and others?) actually have a wired option (even provide the cable) for listening. Sadly the built-in microphone doesn't work in 'wired mode' (though ANC does).
You could get at at "cable boom microphone", e.g.:
* https://www.amazon.com/dp/B07W3GGRF2
* https://www.amazon.com/dp/B00BJ17WKK
Maybe the XM7 will have it (along with wired audio controls) via a CTIA/AHJ TRRS plug:
* https://en.wikipedia.org/wiki/Phone_connector_(audio)#TRRS_s...
or via USB audio.
I'm not surprised Jabra acted quickly. They mainly sell too enterprise which generally care very much about security. Sony is more a consumer mfg now.
That doesn't sound very serious if they're exposed, is it? Can it be used to eavesdrop my conversation if I'm speaking through the headphone
It can toggle the hands-free mode and listen to whatever is being talked, you'd notice that it has switched to the mode though - but if you're headphones are powered on and you're not listening to in they can be used for eavesdropping.
During the talk they both demonstrate listening to the microphone and also receiving a WhatsApp 2FA call.
[0] https://en.wikipedia.org/wiki/Tempest_(codename)
[1] https://en.wikipedia.org/wiki/Van_Eck_phreaking
It’s a messy standard and we shouldn’t be surprised that the race to the bottom has left some major gaps.. though Sony WH1000’s are premium tier hardware and they have no real excuses..
I always wondered how people could justify the growth of the bluetooth headphone market in such a way.. Everyone seems to use bluetooth headphones exclusively (in Sweden at least), I’m guilty of buying into it too (I own both Airpods Pro’s and the affected Sony WH1000-XM5) but part of me has always known that bluetooth is just hacks on hacks… I allowed myself to be persuaded due to popularity. Scary.
I was also trying to debug bluetooth “glitching audio” issues and tried to figure out signal strength as the first troubleshooting step: I discovered that people don’t even expose signal strength anymore… the introspection into what’s happening extends literally nowhere, including not showing signal strength… truly, the whole thing is cursed and I’m shocked it works for the masses the way it does.. can you imagine not displaying wifi signal strength?
It tells more about human nature than about a company.
This can only be fixed systemically by huge fines and/or imprisonment. Otherwise the temptation of taking the risk to neglect security is too strong.
Is it scary? Bluetooth is wildly convenient, and mostly works most of the time. There are definite software issues, and there are security issues, but for most of us, we're not going to run into them that often. (Well, ok - maybe not for most of the people on this site.)
I'm going to continue using my bluetooth headphones, because the odds of a nefarious hacker with a linux laptop attacking me directly are wildly low. In terms of security, my time & money would be better spent buying a steering0-wheel-lock-bar for my car, or a mechanical timer that will turn the lights on & off in my house randomly at night.
But sometimes it's a large inconvenience
Example: if I'm using my laptop for work but at a slightly longer distance (think, using external monitor/keyboard) then it gets annoying (cord has to hang from the connection, or it gets between you and the keyboard, etc)
So who is everyone, in your meaning?
https://news.ycombinator.com/item?id=25950845
https://news.ycombinator.com/item?id=45798439
https://news.ycombinator.com/item?id=34667522
https://news.ycombinator.com/item?id=43144607
One thing less to worry about.
and
"One less thing to worry about"
These are not compatible statements. :)
The whole tcp/ip, wifi stack is at least a magnitude more complex than bluetooth one, and the wifi radio generally consumes more power.
Alright, so when is OpenBSD patching out USB support? Such a giant exploit vector.
So the way to mitigate this is to be certain you don't have one of the vulnerable peripherals or to disable BT. Note that the list of device models sounds *far* from complete because it's a chipset issue. Which makes me wonder if there are cars out there using this chipset and exposing the same vulns. I'd be very interested if anyone has a source on whether any cars use these chipsets.
> The identified vulnerabilities may allow a complete device compromise. We demonstrate the immediate impact using a pair of current-generation headphones. We also demonstrate how a compromised Bluetooth peripheral can be abused to attack paired devices, like smartphones, due to their trust relationship with the peripheral.
> This presentation will give an overview over the vulnerabilities and a demonstration and discussion of their impact. We also generalize these findings and discuss the impact of compromised Bluetooth peripherals in general. At the end, we briefly discuss the difficulties in the disclosure and patching process. Along with the talk, we will release tooling for users to check whether their devices are affected and for other researchers to continue looking into Airoha-based devices.
[...]
> It is important that headphone users are aware of the issues. In our opinion, some of the device manufacturers have done a bad job of informing their users about the potential threats and the available security updates. We also want to provide the technical details to understand the issues and enable other researchers to continue working with the platform. With the protocol it is possible to read and write firmware. This opens up the possibility to patch and potentially customize the firmware.
> Step 1: Connect (CVE-20700/20701) The attacker is in physical proximity and silently connects to a pair of headphones via BLE or Classic Bluetooth.
> Step 2: Exfiltrate (CVE-20702) Using the unauthenticated connection, the attacker uses the RACE protocol to (partially) dump the flash memory of the headphones.
> Step 3: Extract Inside that memory dump resides a connection table. This table includes the names and addresses of paired devices. More importantly, it also contains the Bluetooth Link Key. This is the cryptographic secret that a phone and headphones use to recognize and trust each other.
> Note: Once the attacker has this key, they no longer need access to the headphones.
> Step 4: Impersonate The attacker’s device now connects to the targets phone, pretending to be the trusted headphones. This involves spoofing the headphones Bluetooth address and using the extracted link-key.
> Once connected to the phone the attacker can proceed to interact with it from the privileged position of a trusted peripheral.
[1] https://news.ycombinator.com/item?id=46454740
And it just went on, Apple weathered the critics, the other makers also dropped it, and at some point there was just nowhere to go for anyone still wanted a 3.5 jack with a decent phone.
It's not a good solution though. In particular I find the USB-C port gets worn out pretty quickly. Its also easy to lose the dongle and of course it's more complicated to setup. (I'm not sure how to articulate the "it's more complicated" part. Adding the dongle elevates the action of "plug in headphones" from something you can do without attention to something that requires attention, and I don't like that.)
It’s annoying to have non-mainstream preferences in an area where economies of scale mean every product needs to have mass market appeal. But you might as well complain about the tide coming in.
If you want actual quality... be ready to shell out a bit of money [1].
[1] https://www.amazon.de/Qudelix-Bluetooth-Adaptive-unsymmetris...
A lot of Apple's strategic choices are driven by products that take 5, 10, or sometimes 20 years to realize. For example, the forthcoming foldable iPhone (and the proving ground for many related decisions, the iPhone Air) was on roadmaps literally a decade before a decision like this reverberates through released products.
Putting a high-quality DAC in a dongle wasn't a terrible solution (many phones with analog jacks have poor ones), and today hundreds of headphones¹ courageously have native USB-C support.
¹ https://www.bhphotovideo.com/c/products/usb-c-headphones/ci/...
Adding an external sound card introduces variables outside of manufacture control, the quality, latency, and drive power all at the mercy of some random integrator.
My phone is easily thick enough to accommodate a 3.5mm port, and it can't be that difficult to waterproof such a jack, which should also make reasonable cleaning easy if it's ever required.
[0] https://youtu.be/BD8Nf09z_38 (Timestamp 18:40)
Out of all the people I would trust on the matter, Kamala Harris doesn't certainly end up at the top of my list, for reasons such as this one: https://youtu.be/O2SLyBL2kdM?si=Zq-EN8zxj4Y_UCwI
You also don't need to be in classified meetings to understand that Bluetooth/ BLE (and specifically the way most vendors implement the spec) is not as secure as other more battle-tested technologies
I had files in a cabinet, now they are digital. And most often also on a cloud drive, which is metaphysical in some sense. For most it is indistinguishable from magic.
Even before this report, I had a vague feeling that there were probably some security issues with BT headsets, and now it's confirmed in a very concrete way. So whether she is stupid or not, Kamala was right about this.
There hasn't been a POTUS or VPOTUS with a technical background in the last 45 years (Jimmy Carter was a nuclear engineer). So obviously none of them would be authoritative on such topics.
However the individual in question is not delusional or conspiratorial, and we know for sure that they are receiving advice or restrictions from extremely well-informed sources, so there's every reason to believe they are (lo-fi) repeating that.
* https://arxiv.org/pdf/2108.07190
There is little encryption being done by bluetooth, while wifi, many layers add their own encryption to the data.
I think the policy Harris is referring to is based on the _risk_ of something like this - it is easy to imagine wireless devices being vulnerable and enabling this capability - rather than being based on definitive existence of this capability.
Deleted Comment
Because he also knows a thing or two about technology. His agency won't even allow him use an iPhone (for official business).
[0] Dude is decades away from retirement, not even close to "Boomer"
There was no response to the Get Build Version command, and the Read Flash command returned an error. So tentatively (with false negatives possible), it seems to have been patched on Sony devices. I don't have a linux box with bluetooth handy ATM so I didn't try using the race-toolkit directly.
[1] https://static.ernw.de/whitepaper/ERNW_White_Paper_74_1.0.pd...
- Sony WH-1000XM4
- aptX can do 44/16 in other devices, Sony has LDAC at 24/96 too
- latency under <100ms is meaningless for pure audio listening, video players have latency compensation
We have amazing technology available today, at prices and quality unimaginable in the 80s. A $50 in-ear from a chinese hi-fi brand can give you an audio experience you couldn’t buy for thousands of dollars a decade ago. And there’s more and more analog hardware being designed and built as technology costs have fallen. You’re really missing out if you think things were better back then.
Only Vision Pro has wireless lossless audio and it works because it's right next to the AirPods.
But your phone can passthrough AAC over Bluetooth as long as it doesn't have to mix system sounds or anything in.
FWIW, 44/16 can still sound like garbage if compressed using lossy compression with a low bitrate.
But aptX is over 300 kbps. That's plenty of bandwidth to sound excellent, and I think anybody who says it doesn't sound good is lying to themselves.
Average communication input is in a noisy environment (colleagues, family, wind, equipment, car), and is compressed both in the dynamic range and bitrate sense before sending out. The transport medium then provides latency and packet loss. The fidelity of the audio equipment on the receiving side plays very little role. I imagine even audiophiles quite readily use even below mid-range wireless headsets for conversations, just because they are more convenient.
In other words, I don't take calls on my wired AKG headphones, even though my phone has a 3.5mm jack. I'm particularly fond of my €30 in-ear BT headset that provides good enough input and output even when I'm biking. I can't be bothered to check if the model is on the vulnerable devices list, the phone company / Meta / Alphabet / some governments and so on can surveil my communications anyway. Adding a random passer-by to the mix does not meaningfully increase the attack surface. Plus they might get to listen to awesome music, if I'm not on a call.
Audiophiles tend to have firm stances on what is acceptable or not, I find.
Dead Comment