Multiple vulnerabilities in Airoha Bluetooth chips could be exploited to take over headphone and earbud products from multiple vendors, IT security firm ERNW warns.
Airoha provides Bluetooth system on a chip (SoC) products and reference designs and implementations for them, and has become one of the largest suppliers for headphone and earbud vendors, including Beyerdynamic, Marshall, and Sony.
According to ERNW, products built using Airoha’s SoCs, as well as reference implementations that rely on its software development kit (SDK) expose a custom protocol that allows attackers to read and write the RAM and flash storage, and manipulate the device.
The protocol is exposed via Bluetooth Low Energy Generic ATTribute Profile (BLE GATT), which covers data transfer over BLE, and as the RFCOMM channel via Bluetooth BD/EDR (the virtual serial port connection in Bluetooth Classic).
Not only does the custom protocol expose critical capabilities, but missing authentication for both GATT services and Bluetooth BR/EDR opens the door to attacks, ERNW says.
“Missing authentication for Bluetooth Classic allows an attacker to use this protocol without pairing with the device,” the company notes.
The vulnerabilities can be triggered both over BLE and Bluetooth BR/EDR, allowing attackers to take over devices without authentication or pairing. The attack is possible in most scenarios, but requires the vulnerable device to be in Bluetooth range.
“It is possible to read and write the device’s RAM and flash. These capabilities also allow attackers to hijack established trust relationships with other devices, such as the phone paired to the headphones,” ERNW explains.
The security defects open the door to attack scenarios that include reading out the playing media from the headphones, eavesdropping, extracting the device’s phone number and the phone numbers of incoming calls, or rewriting the device firmware to gain code execution, which leads to a wormable exploit.
ERNW underlines that, in theory, any vulnerable device is exposed to these types of attacks, as long as the attacker is within Bluetooth connectivity range and has high technical skills, as they would need to perform multiple exploit steps without being noticed.
“Yes — the idea that someone could hijack your headphones, impersonate them towards your phone, and potentially make calls or spy on you, sounds pretty alarming,” the company says.
It also explains that such attacks are likely to be performed against high-value targets, such as diplomats, journalists, VIPs under surveillance, individuals associated with sensitive industries, and political dissidents.
Airoha, ERNW says, has addressed the vulnerabilities in the latest version of its SDK, which was supplied to its customers. To date, the security firm is not aware of any vendor releasing firmware updates to address the bugs.
Related: Android, Linux, Apple Devices Exposed to Bluetooth Keystroke Injection Attacks
Related: New BLUFFS Bluetooth Attack Methods Can Have Large-Scale Impact: Researcher
Related: Researchers Devise New Type of Bluetooth LE Relay Attacks
