Glad this submission is finally receiving upvotes.
This was just shown at the 39C3 in Hamburg, few days back.
Common (unpached) Bluetooth headsets using Airoha's SoCs can be completely taken over by any unauthenticated bystander with a Linux laptop. (CVE-2025-20700, CVE-2025-20701, CVE-2025-20702)
This includes firmware dumps, user preferences, Bluetooth Classic session keys, current playing track, ...
> Examples of affected vendors and devices are Sony (e.g., WH1000-XM5, WH1000-XM6, WF-1000XM5), Marshall (e.g. Major V, Minor IV), Beyerdynamic (e.g. AMIRON 300), or Jabra (e.g. Elite 8 Active).
Most vendors gave the security researchers either silent treatment or were slow, even after Airoha published fixes. Jabra was one of the positive outlier, Sony unfortunately negatively.
What is exciting, even though the flaws are awful, that it is unlikely for current generation of those Airoha bluetooth headsets to change away from Aiorha's Bluetooth LE "RACE" protocol. This means there is great opportunity for Linux users to control their Bluetooth headsets, which for example is quite nice in an office setting to toggle "hearthrough" when toggling volume "mute" on your machine.
RACE Reverse Engineered - CLI Tool: https://github.com/auracast-research/race-toolkit
I feel like this should receive state-level attention, the remote audio surveillance of any headset can be a major threat. I wonder what the policies in countries official buildings are when it comes to Bluetooth audio devices, considering that Jabra is a major brand for conference speakers, I'd assume some actual espionage threats.
One of the researchers here. Many people seem to prefer text to videos, which I sympathize with. So please excuse me hijacking the top comment with links to our blog post and white paper:
Blog: https://insinuator.net/2025/12/bluetooth-headphone-jacking-f...
Did you look into whether the spoofed device can also be "upgraded" to be used as an HID device, like a mouse or keyboard? That upgrade would be several CVEs against the OS vendors.
That would make the attacks potentially silent, since the attacked could simulate keypresses to dismiss notifications, or can at least keep the target unable to respond by spamming home/back or pressing power and simulating a swipe to shutdown.
Kamala Harris, citing seemingly classified intelligence, famously raised the alarm on Bluetooth earphones to Stephen Colbert:
“I know I've been teased about this, but I like these kinds of earpods that have the thing [pointing to the wire] because I served on the Senate Intelligence Committee. I have been in classified briefings, and I'm telling you, don't be on the train using your earpods thinking somebody can't listen to your conversation.”
https://www.aol.com/kamala-harris-warns-against-wireless-150...
> Most vendors gave the security researchers either silent treatment or were slow, even after Airoha published fixes. Jabra was one of the positive outlier, Sony unfortunately negatively.
While I don't recall Sony issuing an advisory, I believe the users of their app would have started getting update notifications since they (quietly) released firmware updates.
> This means there is great opportunity for Linux users to control their Bluetooth headsets, which for example is quite nice in an office setting to toggle "hearthrough" when toggling volume "mute" on your machine.
I think most vendors are using custom services with their own UUIDs for settings such as this.
Regardless, I believe there are open client implementations for some of the more popular devices. Gadgetbridge comes to mind in regards to Android, not sure about any Linux equivalent.
Uh totally, I can't believe how much support Gadgetbridge has - wow thanks for the reminder. I'd love to use that on Linux eventually.
> WH1000-XM6
These (and others?) actually have a wired option (even provide the cable) for listening. Sadly the built-in microphone doesn't work in 'wired mode' (though ANC does).
You could get at at "cable boom microphone", e.g.:
* https://www.amazon.com/dp/B07W3GGRF2
* https://www.amazon.com/dp/B00BJ17WKK
Maybe the XM7 will have it (along with wired audio controls) via a CTIA/AHJ TRRS plug:
* https://en.wikipedia.org/wiki/Phone_connector_(audio)#TRRS_s...
or via USB audio.
Cool! Can you play audio to them too? That would be a practical joker's dream lol.
I'm not surprised Jabra acted quickly. They mainly sell too enterprise which generally care very much about security. Sony is more a consumer mfg now.
> Glad this submission is finally receiving upvotes.
Speaking for myself, I have very little patience for technical videos, so I don't believe I've ever upvoted a YouTube submission.
I would read it if it was an article of identical length!
One second thought I think this is called a transcript...
---
Edit: Auto-Transcript! (No timestamps, sorry)
This is a good article: https://insinuator.net/2025/12/bluetooth-headphone-jacking-f...
Just throw the link into Gemini and ask for a brief summary :-))
> This means there is great opportunity for Linux users to control their Bluetooth headsets, which for example is quite nice in an office setting to toggle "hearthrough" when toggling volume "mute" on your machine.
Fun fact: There are at least two applications that reverse engineered AirPods' communication protocol for custom controls - AndroPods from 2020 [1] and LibrePods from 2024 [2].
But... mainstream Android has a bug open in their Bluetooth stack for well over a year now that prevents issuing the commands, meaning to actually use the app you need root rights [3].
[1] https://play.google.com/store/apps/details?id=pro.vitalii.an...
> This includes firmware dumps, user preferences, Bluetooth Classic session keys, current playing track, ..
That doesn't sound very serious if they're exposed, is it? Can it be used to eavesdrop my conversation if I'm speaking through the headphone
They also demonstrated how this could be used to silently find out someone’s phone number and then hijack a TFA validation call from an app like WhatsApp to take over their account with no user interaction.
This attack was not silent, it was noisy. They specifically pointed that out in their talk.
the session (or pairing key) means you can both connect to the headphone or impersonate it.
It can toggle the hands-free mode and listen to whatever is being talked, you'd notice that it has switched to the mode though - but if you're headphones are powered on and you're not listening to in they can be used for eavesdropping.
During the talk they both demonstrate listening to the microphone and also receiving a WhatsApp 2FA call.
presumably, even in hands-free mode the attacker needs to be very close to the speaker to hear it
If you have a Bluetooth analyzer (e.g. Ellisys), then the link key and a directional antenna is all you need to passively eavesdrop on a conversation at a distance.
Of course, even regular omnidirectional Bluetooth antennas are plenty to eavesdrop through a hotel room door, from the hallway outside a conference room, etc.
An attacker can also passively record all the packets in an area (Ellisys allows recording all channels at the same time), and then actively gather link keys using this attack at any time to decrypt the stored conversations.
Is this an unintentional vulnerability or is it one of those "we left it open because it's easier and we hoped nobody would notice" kind of things. I mean can you just send a "update to this firmware" command completely unauthenticated and it's like "yep sure"? No signing or anything?
IMO, it's plausible that Airoha and the OEMs did not know about this. The tooling may have been written in a pseudo-secure manner, i.e. requiring pairing (on the client side) before attempting all the debugging/firmware update commands. The tools may simply assume that pairing is required or only list targets from those that are paired and connected, which gives the illusion that the air protocol requires this.
All it really takes is some engineer missing an if-statement to check that the connection is bonded before processing the packets.
According to the details in their whitepaper, firmware is signed, but the management protocol allows reading arbitrary memory, so you can read out the keys and sign your own payload.
I'm not sure anyone intentionally did this, but there were several poor decisions involved. It sounds like the upstream vendor shipped sample code without auth, assuming implementers would know they needed to secure a privileged device management interface, and said implementers just copied the sample and shipped it.
Finally, a coherent explanation of AirPods glitches ;)
Remote audio surveillance probably be accomplished on wired headphones with TEMPEST [0]/Van Eck phreaking [1]. Not sure about which has a better range and which would be stealthier - TEMPEST or the Bluetooth attack. The Bluetooth attack just requires a laptop. Not sure if the TEMPEST attack would require a big antenna.
I doubt that audio-spectrum RF/magnetic frequencies emanate strongly from wired headphones. They are simply not a long enough antenna at 200-3,000 Hz. Also, the loop area is quite low. The ground wire runs parallel to the L/R wires, so the only loop to receive is the magnetic coils in the headphones, which are small. Only near field would work, IMO.
Even if the TEMPEST were easier, it's significantly less powerful, as it's not going to get you the ability to write malicious firmware to the audio device nor a persistent connection to the host device when the audio device isn't connected.
And everyone got mad at OpenBSD for refusing to develop bluetooth.
It’s a messy standard and we shouldn’t be surprised that the race to the bottom has left some major gaps.. though Sony WH1000’s are premium tier hardware and they have no real excuses..
I always wondered how people could justify the growth of the bluetooth headphone market in such a way.. Everyone seems to use bluetooth headphones exclusively (in Sweden at least), I’m guilty of buying into it too (I own both Airpods Pro’s and the affected Sony WH1000-XM5) but part of me has always known that bluetooth is just hacks on hacks… I allowed myself to be persuaded due to popularity. Scary.
I was also trying to debug bluetooth “glitching audio” issues and tried to figure out signal strength as the first troubleshooting step: I discovered that people don’t even expose signal strength anymore… the introspection into what’s happening extends literally nowhere, including not showing signal strength… truly, the whole thing is cursed and I’m shocked it works for the masses the way it does.. can you imagine not displaying wifi signal strength?
This is not a Bluetooth issue. The chip manufacturer Airoha just felt it acceptable to ship a wireless debug interface that allows reading the SoC memory with no authentication whatsoever, enabled in retail customer builds. They are just not a serious company (which is why their security email didn't work, either).
I mean, most companies have security last on their budget list.
It tells more about human nature than about a company.
This can only be fixed systemically by huge fines and/or imprisonment. Otherwise the temptation of taking the risk to neglect security is too strong.
Wireless 'JTAG'! The Dream :)
Now that's a premium product if I've ever seen one.
Pretty sure modern apple watch has wireless "Jtag", so yeah.
Honestly, can't we just ditch BT and send audio over WiFi?
One thing less to worry about.
"Just use wifi for headphones"
and
"One less thing to worry about"
These are not compatible statements. :)
WiFi is nowhere near as low energy as Bluetooth is.
Qualcomm kind of does this with their XPAN extension, sends the audio over local network. I believe it's mostly a proprietary solution though, so I haven't seen any serious attempts to re-implement it yet.
If you think wireless headphones are insecure today, I very much doubt connecting them directly to the internet would improve the situation.
AFAIK Wifi Direct has quite wide hardware support -- https://en.wikipedia.org/wiki/Wi-Fi_Direct. But few people know about it?
WiFi does not necessarily mean it's connected to the internet.
and enjoy your precious 1 hour of listening time.
The whole tcp/ip, wifi stack is at least a magnitude more complex than bluetooth one, and the wifi radio generally consumes more power.
Sometimes plugging a cord is a minor inconvenience.
But sometimes it's a large inconvenience
Example: if I'm using my laptop for work but at a slightly longer distance (think, using external monitor/keyboard) then it gets annoying (cord has to hang from the connection, or it gets between you and the keyboard, etc)
Some of us kept using OpenBSD (longer than they should’ve?) because of that and a few other related decisions.
So who is everyone, in your meaning?
You can't read English like if it was a declarative logical language. It is obviously an hyperbole to say "everyone". It means "a lot of people". So why they didn't say "a lot of people"? Language uses hyperboles to make a point stronger.
Some people use hyperbole to make a point, and some people see this as a red flag, and causes them to lose trust.
It comes up enough that I am comfortable saying that it feels like “everyone” to the OpenBSD devs.
https://news.ycombinator.com/item?id=25950845
https://news.ycombinator.com/item?id=45798439
> And everyone got mad at OpenBSD for refusing to develop bluetooth.
Alright, so when is OpenBSD patching out USB support? Such a giant exploit vector.
I didn't see a summary in here so based on my reading:
* Certain headset devices from varying vendors have crappy BT security over both bluetooth classic and BLE
* They implement a custom protocol called RACE which can do certain things with no authentication at all
* One of the things RACE lets you do is read arbitrary memory and exfiltrate keys needed to impersonate the vulnerable device with your already-paired phone
* Once you're impersonating the vulnerable device you can do all sorts of things on the paired phone like place/accept calls, listen on the microphone, etc.
So the way to mitigate this is to be certain you don't have one of the vulnerable peripherals or to disable BT. Note that the list of device models sounds *far* from complete because it's a chipset issue. Which makes me wonder if there are cars out there using this chipset and exposing the same vulns. I'd be very interested if anyone has a source on whether any cars use these chipsets.
Meanwhile all the phones dropping jack because Apple started it. Official reason is to "waterproof phones"
The most frustrating part is when Apple dropped the jack we laughed at the "courage" bit, Apple's given reasons where already seen as bullshit, Samsung had their finger pointing moment.
And it just went on, Apple weathered the critics, the other makers also dropped it, and at some point there was just nowhere to go for anyone still wanted a 3.5 jack with a decent phone.
I agree the loss of the 3.5mm jack is a short-sighted and poor decision. There is at least one mitigation, which is the ability to recover the jack through a USB-C DAC. Apple sells them for USD10. I have several, in the car and in my backpack.
It's not a good solution though. In particular I find the USB-C port gets worn out pretty quickly. Its also easy to lose the dongle and of course it's more complicated to setup. (I'm not sure how to articulate the "it's more complicated" part. Adding the dongle elevates the action of "plug in headphones" from something you can do without attention to something that requires attention, and I don't like that.)
Can't you just leave a dongle on any wired headphones you have? Assuming you only use them with your phone and computer and don't have a CD player or something.
> Assuming you only use them with your phone
This is really where it hits. Every other device has a proper jack, so the dongle needs to be kept somewhere every other time.
Also, seemingly without exception, the dongle itself is fragile and ends up causing constant crackling after a while.
Get a set of wired headphones without a built-in cord. Then you can use any USB-C to 3.5 male cord like normal.
You can't use a passive cable for this - there may be a USB-to-audio standard, but it's not widely implemented anymore. You need a DAC.
The jacks are a physical impediment for slim phones. An adapter costs $3 if you still want it. It’s not a bad trade.
I see the point for ultra slim phones. Except the only phones that are slim enough to have their thickest point thinner than that have only started to come up recently.
Imagine the same argument for USB-C: at some point phones will be too slim to allow for that port, should every maker start dropping it right now ? That would be nonsense.
On adapters, it's no panacea: you still want the USB port available. Split adapters exist, but most of them only allow for charging, and the charging rate is also usually miserable.
You could say people who appreciated that should just eat it and feel in their bones how much the world doesn't care about them, that would be fair. Now staying sour about it is also one's prerogative.
PS: The biggest part for me is every other devices I own still having a pretty good jack. Laptops still have it, game consoles, VR headsets, TVs, high fidelity portable players, cars etc. So keeping around a very good headphone pair is still an enjoyable thing, except for the damn phones. Even in XL sizes. They're the only one needing a dongle, and regardless of the price that sucks.
On slimness: wouldn't an alternative implementation be to "do the Magic Mouse" and put the USB C port on the back of the phone instead of the edge? Alternatively I could imagine MagSafe alignment / charging magnets plus an NFC like inductive communication (or contact pads) to allow for a range of "snap on" peripherals for phone backs that could be implemented on devices thinner than a USB C port.
If we really engineer around the same connector with extra thinness the best bet could be on partly open ports: if the phone covered 75% of the barrel circumference by left out the other 25% exposed I assume it would still work.
I see it through the same lens as the cassette players like the Toshiba KT-AS10 that left part of the cassette outside for the absolute minimal footprint:
https://qth.tzpfsokx.cloud/index.php?main_page=product_info&...
PS: there is a mini headphone jack standard, but I'm not sure it's any good. At least it would clear the DAC problem, just still need a dongle.
No, the connector is longer than it is tall.
Maybe, but Apple doesn’t make them thinner anyway so the argument is invalid. iPhone 6S with headphone jack: 7.1mm thick. iPhone 17 is 7.95mm thick.
Phones are already way slimmer than they should be. Now we have top-heavy "slim" phones with huge bulges for cameras*, 50% less battery life, reduced performance because of thermal issues, glued together in favor of screws and rubber seals, wasting weight and space on additional strengthening and internal routing.
Just because people think it looks neater than the more practical alternative.
The S2 had an amazing form factor - also with a small bulge, but at the bottom. It's a thousand times nicer to hold and carry than pretty much anything that came after. The S5 was fine too (waterproof AND you could pop open the back to swap the battery, if you can believe it!)
It's silly how much more ergonomic phones feel that don't have to compensate for an extra half millimeter.
* Many phones had this, but it's getting really bad now. Older phones typically also had the lens recessed to protect it, with a slim border around it. No more space for that now.
I'm not even sure people think that. Apple's marketing department thinks that, and other company marketing departments seem to be implementing some kind of master-slave architecture, where they are slave instances to Apple's master server. Does anybody really check specs and deliberately choose the thinner phone? Or do people just buy new iPhone regardless of whatever decisions they make just because having the last iPhone is cooler? Of course, I don't know, but I somehow really doubt it's the former.
3$ adapter will have low quality DAC
But the $9 Apple one is very high quality: https://www.audioreviews.org/apple-audio-adapter-review/
The DAC in Apple's $10 adapter is higher quality than most "audiophile" DACs because Apple has a larger R&D budget and is better at manufacturing than the entire audiophile industry combined.
Same for Google's, though it's slightly less good iirc.
They aren't perfect - the maximum volume and impedance are pretty low so you do need an amp to electrically drive insensitive headphones.
nah, they are on par with other $10 chinese DAC, which is quite achievement for Apple tbh. I guess Apple decided to not apply "Apple tax" to those dongle.
There’s a difference between the European version of the Apple dongle and other regions. The European version maxes out at 0.5 Vrms instead of 1 Vrms.
DACs are very cheap. The BOM gap between "This DAC barely works" and "It won't sound any better if we spend more" for a headphone DAC is probably a dollar or so. This isn't some 1980s analogue technology where we need to spring for the best materials to get good results, and the components needed are all readily available from many suppliers today.
Most ADCs in consumer products were crap anyway (with the exception of Apple, who for a long time used the widely beloved Wolfson DACs).
If you want actual quality... be ready to shell out a bit of money [1].
[1] https://www.amazon.de/Qudelix-Bluetooth-Adaptive-unsymmetris...
They’re just responding to the market. The vast majority of people don’t care about this. Personally, I’d rather have two minutes more battery life than a headphone jack.
It’s annoying to have non-mainstream preferences in an area where economies of scale mean every product needs to have mass market appeal. But you might as well complain about the tide coming in.
Do you have a source that supports your claim, that the market asked for 3.5 mm jacks to go away?
That's not what the parent commenter said. They said consumers don't care, not that they asked for the jacks to go away. You're misrepresenting.
But in terms of consumers not caring, yes:
https://www.androidauthority.com/ting-headphone-jack-survey-...
It's objectively not a popular feature or something the vast majority of consumers are looking for.
Most people prefer Bluetooth because you don't need to deal with annoying wires getting tangled, ripping your earbuds out, etc.
Again, it's not that the market asked for the jacks to go away, they just don't care. And when there's something that consumers don't care about, companies tend to remove it. The jack takes up volume. Not huge, but on phones every cubic millimeter counts. And it's one more thing that can break.
And if you really want a jack, there's a $9 adapter you can just keep attached to your headphones. So everyone wins.
The survey asks whether people care about the headphone jack, though – it asks whether it's in the top three features they care about.
I care plenty about the headphone jack but still reluctantly bought a phone without one (which I regret) because I have more than three requirements to balance. I expect that the users who did include the headphone jack in their top three features still care that e.g. the screen, battery and radio are all in working order as well, despite not being in their top three.
I understand the figured sense that you describe. It reverses the logical suite of cause and effect. Instead of describing the true cause (Apple chooses to drop the jack) and the consequence (customers "don't care", which I believe is wrong), the conveyed message blames those without a choice: "customers don't care, therefore we should drop the jack".
The survey that you link is built on the premise that "you can pick only three things at most" as a manipulative trick. And since the headphone jack doesn't make it to the top 3, you use it as claim that consumers do not care about the headphone jack. This is not reasoning or stating objective facts, this is just a cop-out.
My claim is that the vast majority of consumers still need at some point in their use of their phone a way to plug 3.5 jacks into their phones somehow, and just put up with the enshittified new way: either buy some bluetooth adapter dongle, or a USB-C low quality DAC, or just give up and find a different solution.
Why would Apple dropping the jack cause other phone makers to drop it, if their customers still want it?
1. Apple drops the headphone jack.
2. ???
3. Google Pixels don't have a headphone jack.
"few customers care" is not the democratic ideal you make it sound to be.
It's the same as glued batteries, unrepairable phones. Few customers making it an absolute criteria for their phone choice still doesn't make mean the majority sees it as a positive thing nor they agree. At the time on the android side, only Pixel and Samsung's lines were serious about the camera or international NFC support, moving to other phones just for the jack came with huge compromises that had nothing to do with the jack itself.
It’s a competitive market. If removable batteries mattered to a lot of people, some company would take advantage of that to make a lot of money.
Feature combinations aren’t immutable facts of nature. Manufacturers make a conscious choice about what to include. If a good camera and international NFC combined with a headphone jack would attract a lot of buyers, don’t you think Samsung or Google would make a phone like that to better compete?
It’s nothing to do with “democratic ideal.” It’s about understanding that companies want to make money and if a feature is desirable, they will leverage that in their quest to make money. Some may fail to understand what their customers want, but all of them? It’s not plausible.
> It's a competitive market.
Is it ?
We have a paper trail of lawsuits telling another story.
The "???" is "hey, Apple are doing it! since we already copy so many ideas from them, let's shave a few cents on the amp and jack receptacle, and if anyone complains, just claim that it's the trendy thing to do now".
And why didn't any of the multitude of phone makers say "turns out that people actually want a headphone jack, let's spend a few extra cents and steal all of our competitors' customers"?
"The Best Phones With an Actual Headphone Jack", Nov 2025 [1]
[1] https://www.wired.com/gallery/best-headphone-jack-phones/
Are these popular models? Pretty sure they aren’t. So there you go: people have a choice, and they largely choose not to get a headphone jack.
Almost like there were at least three other features more important.
The most important letters in English are E, T and A. I'm sure you won't notice if we remove H from all keyboards, right? After all, the survey says it's not in the top three. And given a choice between a keyboard without E and one without H, nobody buys the one without H, proving they really don't need the H.
Why wouldn’t some keyboard manufacturer realize that a lot of people actually do need all of the letters, sell a keyboard with all of them, and make bank?
This theory that people want headphone jacks and phone makers won’t provide them makes no sense. It requires phone makers to be so cost conscious that they’ll remove a desirable feature to save a few cents, yet simultaneously so clueless that they won’t take advantage of consumer preferences to beat their competition. This sort of thing happens with individual companies, but not with every single company in a competitive market with many competitors.
I don’t know why people can’t just accept that they have a minority preference. There’s nothing wrong with that. I’m sure it’s far from your only one (I have plenty of my own, just not this one). There’s nothing wrong with general complaints that the market doesn’t cater to your minority preference. But arguing that it’s actually the majority, when it plainly isn’t, it just weird.
> Most people prefer Bluetooth because you don't need to deal with annoying wires getting tangled, ripping your earbuds out, etc.
Thanks for this summary. I feel sad to be in a minority who prefer wired headphones. For me it's because all their failures you listed are issues I can understand and mitigate. But when bluetooth goes wrong, what do I do? Usually:
1. turn off both devices and then turn them back on again 2. try to reconnect 3. if step 2 failed, give up and try again another day
I don't learn anything. I feel infantilised and helpless.
Yeah, I think that's why a lot of people stick to same-brand or trusted brands -- AirPods "just work" with iPhones, in ways that other Bluetooth earbuds don't always.
The source is the fact that very few phones have them.
There isn't some grand conspiracy to keep headphone jacks out of phones. Why would they do that? You think Samsung or Google wouldn't jump at the chance to sell more phones by putting in a headphone jack, if that would actually help them compete? No, the reason few phones have one is because few people care about it, at least enough to influence their purchasing decisions.
There are plenty of examples of market failures in the world where lack of competition or information prevents consumer preferences from being reflected in product offerings. But smartphone hardware is definitely not one of them.
This has been a lie since day one. The Sony Xperia line has been waterproof for over 10 years and continues to have a headphone jack and an SD card slot. That with their minimal Android tweaks is the main reason to even consider their phones.
It's not the official reason, but also worth noting that many waterproof devices have headphone jacks.
The official reason was, famously and ridiculously, "courage". Apple further explained that space is at a premium, listed the many things competing for that space, and noted that a large, single-purpose legacy connector no longer made sense.
A lot of Apple's strategic choices are driven by products that take 5, 10, or sometimes 20 years to realize. For example, the forthcoming foldable iPhone (and the proving ground for many related decisions, the iPhone Air) was on roadmaps literally a decade before a decision like this reverberates through released products.
Putting a high-quality DAC in a dongle wasn't a terrible solution (many phones with analog jacks have poor ones), and today hundreds of headphones¹ courageously have native USB-C support.
¹ https://www.bhphotovideo.com/c/products/usb-c-headphones/ci/...
Apple is very late to the foldable phones now, not sure that's the best example
> Apple is very late to the foldable phones now, not sure that's the best example
“PC guys are not going to just figure this out. They’re not going to just walk in.” — Palm CEO Ed Colligan, 2006, https://www.engadget.com/2006-11-21-palms-ed-colligan-laughs...
“A wizard is never late, nor is he early, he arrives precisely when he means to.” — Gandalf the Gray
:)
By "late", I mean they are starting to lose market share because of that in some regions, that kind of late.
Regardless, the point of mentioning it is that Apple commonly makes decisions that can seem bizarre to people who don't consider systemic and longer-term reasons why they might've been made. Another micro-example of this that comes to mind is Tahoe's mostly-reviled chonky window borders, which along with many other gradual UX changes over years, absolutely foreshadow touchscreen Macbooks.
They've also been late sometimes and had to change by force their assumptions, the first app store in iOS was cydia and a lot of what we consider modern iOS design was copied over from the jailbreaking community.
I just don’t know a single real person that still wants to use wired earphones with their phone. To me it’s the same as complaining that an artist only has CDs, not records.
I want to use the extremely simple and reliable direct interface and inexpensive cheap earphones and patch cables that I can buy in any reasonable electronics store for low markup. They are all passive components.
Adding an external sound card introduces variables outside of manufacture control, the quality, latency, and drive power all at the mercy of some random integrator.
My phone is easily thick enough to accommodate a 3.5mm port, and it can't be that difficult to waterproof such a jack, which should also make reasonable cleaning easy if it's ever required.
The security, performance, usability and reliability of wired headphones will always be superior to wireless. There is just no substitute for the simplicity of an uninterrupted piece of copper carrying an analog signal. The convenience of having no wires simply isn't worth the downgrade in these other aspects.
Wired headphones have no latency. AptX-LL are rare in the good quality headsets.
I don't have time right now to watch the video and will be coming back to do so later, but here's a couple of snippets from the text on that page that made me want to bother watching (either they're overhyping it, or it sounds interesting and significant)
> The identified vulnerabilities may allow a complete device compromise. We demonstrate the immediate impact using a pair of current-generation headphones. We also demonstrate how a compromised Bluetooth peripheral can be abused to attack paired devices, like smartphones, due to their trust relationship with the peripheral.
> This presentation will give an overview over the vulnerabilities and a demonstration and discussion of their impact. We also generalize these findings and discuss the impact of compromised Bluetooth peripherals in general. At the end, we briefly discuss the difficulties in the disclosure and patching process. Along with the talk, we will release tooling for users to check whether their devices are affected and for other researchers to continue looking into Airoha-based devices.
[...]
> It is important that headphone users are aware of the issues. In our opinion, some of the device manufacturers have done a bad job of informing their users about the potential threats and the available security updates. We also want to provide the technical details to understand the issues and enable other researchers to continue working with the platform. With the protocol it is possible to read and write firmware. This opens up the possibility to patch and potentially customize the firmware.
Here's an excerpt from [1]:
> Step 1: Connect (CVE-20700/20701) The attacker is in physical proximity and silently connects to a pair of headphones via BLE or Classic Bluetooth.
> Step 2: Exfiltrate (CVE-20702) Using the unauthenticated connection, the attacker uses the RACE protocol to (partially) dump the flash memory of the headphones.
> Step 3: Extract Inside that memory dump resides a connection table. This table includes the names and addresses of paired devices. More importantly, it also contains the Bluetooth Link Key. This is the cryptographic secret that a phone and headphones use to recognize and trust each other.
> Note: Once the attacker has this key, they no longer need access to the headphones.
> Step 4: Impersonate The attacker’s device now connects to the targets phone, pretending to be the trusted headphones. This involves spoofing the headphones Bluetooth address and using the extracted link-key.
> Once connected to the phone the attacker can proceed to interact with it from the privileged position of a trusted peripheral.
I couldn't find anything from Sony confirming that these specific vulnerabilities had been patched, so i tried to reproduce the steps from the whitepaper using nRF Connect [1] with my Sony WH-1000XM4 on the latest firmware version.
There was no response to the Get Build Version command, and the Read Flash command returned an error. So tentatively (with false negatives possible), it seems to have been patched on Sony devices. I don't have a linux box with bluetooth handy ATM so I didn't try using the race-toolkit directly.
[1] https://static.ernw.de/whitepaper/ERNW_White_Paper_74_1.0.pd...
WH-1000XM4 isn't on the list of affected devices though, does it have the same chip?
Yes it is, page 29 of that PDF lists it:
- Sony WH-1000XM4
Thank you. My bad.
Haven't watched the video yet, but I think this capability was leaked by VP Kamala Harris during her recent interview with the Late Night Show [0]. She stated she doesn't use wireless headphones because she's been in security meetings and knows they're not safe.
[0] https://youtu.be/BD8Nf09z_38 (Timestamp 18:40)
Disclaimer: This comment is not intended to be political - I don't care about the specific party she's part of.
Out of all the people I would trust on the matter, Kamala Harris doesn't certainly end up at the top of my list, for reasons such as this one: https://youtu.be/O2SLyBL2kdM?si=Zq-EN8zxj4Y_UCwI
You also don't need to be in classified meetings to understand that Bluetooth/ BLE (and specifically the way most vendors implement the spec) is not as secure as other more battle-tested technologies
What she says isn't necessary untrue, now is it? She just skips a lot of steps most people have no clue about.
I had files in a cabinet, now they are digital. And most often also on a cloud drive, which is metaphysical in some sense. For most it is indistinguishable from magic.
It isn't about trust. There's no need to trust Kamala Harris in order to heed "wireless headphones probably have a legitimate security risk." And we know that even if she's a complete moron in this topic area, she's advised by people who should know. Even if you put no stock in her opinion, there is zero security downside (and an awful lot of common sense benefit) to additional caution.
Even before this report, I had a vague feeling that there were probably some security issues with BT headsets, and now it's confirmed in a very concrete way. So whether she is stupid or not, Kamala was right about this.
I think many people would be justified in making the argument that bluetooth has existed for at least 20 years and thus is the established battle tested protocol.
Yeah, but Bluetooth spec changed a lot over the years (3000+ pages) and the certification price is rather expensive.
There's an interesting article from Wired [1] about this, although some interesting comments from the engineers working on BT stacks are far more interesting. It seems like most of the manufacturers do not create spec-compliant devices, and that the tests from the certification are just poor.
I'd love to hear more from an expert on the topic, but this looks to be the consensus.
I'm by no means an expert, but I've recently implemented a small BLE based IoT device, and had a look at the security/privacy of a medical BLE device.
Some points:
* there's a real lack of quality, up-to-date documentation. I would have thought that at least on Linux you'd find some documentation, but most of it seems to be "RTFS".
* BLE is in general very unfamiliar to most developers. There's no client and server, there's central and peripheral. GATT profiles are a mix between TCP connections and binary REST-ish interface.
* Encryption/authentication is possible, but depending on the manufacturer's API/quality of documentation it's not really apparent a. how to select a secure connection method b. how to even check if and which authentication/encryption was chosen
* Coming from the previous point, many BLE devices have the same generic GATT profiles, sometimes with the same sample data. This looks like a lot of BLE devices just copy&pasted sample code from the manufacturer and added the minimal changes "to make it work"
* It's probably really easy to do passive/active fingerprinting to find out the manufacturer and/or chip version used in a device. Default services, ordering of advertising options etc
* Many BLE devices are not conformant. Uninitialised name fields with garbage in them ("Device Name: WHOOP\020��=u5״\023n"), manufacturers using random identifiers that clearly don't belong to them
* when doing passive BLE sniffing: the biggest obstacle isn't getting data. It's how to filter it. One of the most useful filters of the nRF Connect app for android is to filter out all advertisement packages for apple and ms devices, to cut down the overwhelming amount of such devices
I think people are generally aware of how low quality the Bluetooth protocol suite is though so maybe they'd guess that extends to security too.
I definitely remember lots of folk security advice to keep bluetooth off on your phone back when smartphones were new (nobody does that now though, and Android auto-enables it these days).
> doesn't certainly end up at the top of my list
There hasn't been a POTUS or VPOTUS with a technical background in the last 45 years (Jimmy Carter was a nuclear engineer). So obviously none of them would be authoritative on such topics.
However the individual in question is not delusional or conspiratorial, and we know for sure that they are receiving advice or restrictions from extremely well-informed sources, so there's every reason to believe they are (lo-fi) repeating that.
>There hasn't been a POTUS or VPOTUS with a technical background in the last 45 years (Jimmy Carter was a nuclear engineer). So obviously none of them would be authoritative on such topics.
Jimmy Carter was a very smart guy, but he was not a nuclear engineer.
https://atomicinsights.com/jimmy-carter-never-served-nuclear...
Interesting, it looks more complicated than I realized. "Nuclear engineer" might be too colloqualized, a la "software engineer". (perish the thought!)
But he was an engineer who was trained to operate nuclear facilities on subs. With a few more months of service he would have qualified for the label "nuclear engineer" without any asterisks.
And what even was a "nuclear engineer" in the early 1950s? The field was new enough that the titles were probably not well settled.
Tha National Academy of Engineering says:
> A graduate of the U.S. Naval Academy and a trained nuclear engineer
https://www.nae.edu/19579/31222/20054/327746/331204/Jimmy-Ca...
US Navy history says:
> He served as executive officer, engineering officer, and electronics repair officer on the submarine SSK-1. When Admiral Hyman G. Rickover (then a captain) started his program to create nuclear-powered submarines, Carter wanted to join the program and was interviewed and selected by Rickover. Carter was promoted to lieutenant and from 3 November 1952 to 1 March 1953, he served on temporary duty with the Naval Reactors Branch, U.S. Atomic Energy Commission, Washington, D.C., to assist "in the design and development of nuclear propulsion plants for naval vessels."
> From 1 March to 8 October 1953, Carter was preparing to become the engineering officer for USS Seawolf (SSN-575), one of the first submarines to operate on atomic power. However, when his father died in July 1953, Carter resigned from the Navy and returned to Georgia to manage his family interests.
https://www.history.navy.mil/browse-by-topic/people/presiden...
It's essentially a statement about the view of gov security, not about the view of an individual.
you have a tracking "si=..." parameter in the youtube link
Too late to edit. I missed that, sorry!
I guess what she was trying to say is "Anything wireless is bad in term of security". We don't really know whether the bad guy already has technology to decode wireless protocol we are going to use, so it's best to assume they already have and reduce the attack surface for them.
There is little encryption being done by bluetooth, while wifi, many layers add their own encryption to the data.
Regular Bluetooth security is not that great. A lot of it is poor usability where the user can't easily know that they don't have a secure connection. Setting up a secure connection might involve entering a PIN on each end of the connection which might be challenging for something like a pair of earbuds. This contains a nice discussion of the issues and talks about active attacks:
> this capability was leaked
I think the policy Harris is referring to is based on the _risk_ of something like this - it is easy to imagine wireless devices being vulnerable and enabling this capability - rather than being based on definitive existence of this capability.
The government also doesn't let people conduct sensitive or classified conversations over un-certified protocols or devices. Unless the NSA was participating in the bluetooth encryption standards decisions they aren't going to allow those devices to be used by the President or VP. IMHO though, it's probably more that there were security trade-offs made when developing the standards and the government isn't OK with those types of trade-offs. It doesn't mean they're horrible, just that they aren't verified to be secure enough for sensitive governmental purposes.
It seems this vuln was already publicized in june, or is that interview from earlier?
My brother [0] is a state judge whom uses a typewriter specifically for OpSec.
Because he also knows a thing or two about technology. His agency won't even allow him use an iPhone (for official business).
[0] Dude is decades away from retirement, not even close to "Boomer"
A bit irritating to see people ruining the demo by calling the phone number
IMO anything related to Bluetooth should be destroyed.
https://www.bleepingcomputer.com/news/security/undocumented-...
> We also demonstrate how a compromised Bluetooth peripheral can be abused to attack paired devices, like smartphones, due to their trust relationship with the peripheral.
Can't watch the video now. But I wonder to what extent they can take over a smartphone? Can they make a headphone look like a keyboard/mouse, for example?
Second question: can the whole problem be remedied by installing a firmware update?
This is probably going to make some state actors unhappy.
Probably a combination of happy and unhappy, depending on which state actor, and who knew about the exploit.
Razer isn't mentioned, but I know they're using Airoha AB1571DN in Blackshark V3 Pro transmitter. Not sure what is on the headset end.
Don't see any mentions on their last firmware update, and I can't find older ones.
Most audiophiles ignore bluetooth headphones due to sound quality + latency, so we (audiophiles) stick to wired at home and we also have dedicated headphone amps since the pissy sound card D/A convertors are incredibly bad. Bluetooth only when I’m doing yard work. Sadly, modern music is tuned to crappy headphones, crappy car systems, crappy speakers … I miss the 80’s audiophile obsession, the equipment had heart, and mixing and mastering was generations ahead of current (mainstream) music production.
- Apple has a lossless codec for wireless, ALAC that can do up to 24bit/192khz
- aptX can do 44/16 in other devices, Sony has LDAC at 24/96 too
- latency under <100ms is meaningless for pure audio listening, video players have latency compensation
We have amazing technology available today, at prices and quality unimaginable in the 80s. A $50 in-ear from a chinese hi-fi brand can give you an audio experience you couldn’t buy for thousands of dollars a decade ago. And there’s more and more analog hardware being designed and built as technology costs have fallen. You’re really missing out if you think things were better back then.
> - Apple has a lossless codec for wireless, ALAC that can do up to 24bit/192khz
Only Vision Pro has wireless lossless audio and it works because it's right next to the AirPods.
But your phone can passthrough AAC over Bluetooth as long as it doesn't have to mix system sounds or anything in.
"Sound quality" is a theoretical goal which can't be achieved in practice unless you listen in a perfectly quiet room. Your audiophile open-back headphones can't achieve their rated sound quality if eg there's a CPU fan in the room, or if you're wearing glasses, or if your head just doesn't fit the headphones the same way as the tester's dummy head mic did.
I think many still recognise the train, car, going for a run / cycle, gym… isn’t an optimum listening environment and the convenience significantly outweighs AQ in a lot of situations.
I'm really enjoying my Focal Bathys Bluetooth headphones! Sure, wired options will always be better, but when I want convenience, I've been really impressed with these!
What does audio have to do with this post?
GP seems to mean that if people cared about audio quality, they would not use bluetooth in the first place?
Audiophiles tend to have firm stances on what is acceptable or not, I find.
There are also some amazing cables available in the space. Especially the digital cables, they are really amazing.
A friend worked in an audiophile shop during his physics master and he'd swear the customer base was the most gullible bunch he ever saw... And mostly unswayable by rational arguments.
In any case someone ought to shear the sheep....
I suspect some of that disconnect is because hearing itself isn’t standardized. Differences in frequency perception, hearing loss, and training can make two people genuinely hear different things.
Of course people have different hearing, but the audiophile market is overflowing with snake-oil stuff like 'oxygen free copper' cables to 'acoustic resonator discs'. Nobody's proven any of that stuff results in better sound quality (or even different quality after you graduate from junk stuff to reasonable equipment). Seems like an awfully expensive way of experiencing the placebo effect to me.
I know someone who spent upwards of $10k on a single 3-foot HDMI cable that was 'infused with Peruvian copper'. He says it makes the colors "more true".
I previously posted the repo here:
Why not just link to the repo directly? That post only has one comment.
Here’s the repo (to save everyone a click):
It is somewhat of a custom that the person who posts about a thing first gets the Karma, but it is seldom respected, and I won't beg for it. But I do sometimes hint at it.
You'd think Sony would have learned from the PSN debacle, but alas...
Now I need to setup to check if my headphones are still vulnerable...
Ok, so TL;DR: there's nothing that can be done about it? Just hoping that nobody (like not a single random person, eh) around me knows about that?
What about B bluetooth keyboards and touchid
This is just a chip with debug mode left on and does not allow anyone to hijack audio stream or anything interesting. (Just in case anyone’s checking the comments because they don’t want to watch a long ass video and they notice all the comments are essentially off topic)
checking my understanding: this vuln is in the firmware for specific airoha chipsets; e.g. if a bluetooth device is listed as using a qualcomm chipset then it's unaffected by this specific vuln?
... though I wouldn't be surprised if we see a burst of similar disclosures for other manufacturers in the next year or so
Ah yes, the removal of headphone jacks, the gift that keeps on giving
Funny that there were always some people here pushing bt audio as "the future", whom I can only assume were the technically shallow but very opinionated people that would die on the smallest technical hills
I'd assume that most people wouldn't want to get back to wired headphones.
Transition period was definitely rough, but nowadays bluetooth headphones are substantially better than they were in the past, and it's quite freeing to not have to deal with wires.
There are definitely benefits to wired headphones, such as better audio quality and no battery life to worry about, but for those cases there are USB-C DACs.
I still use wired headphones. This bluetooth vulnerability makes me laugh.
https://biggaybunny.tumblr.com/post/166787080920/tech-enthus...
Brand new devices' batteries are awesome but wear off and need to be changed at some point, if A) the device is designed to let you do that and B) the battery is still in production.
You don't really own a wireless headphone. You can see it as a rent, or an ownership that loose its capability when in use.
>A) the device is designed to let you do that
This is simply wrong. Apple airpod was not designed to replace battery(they use tons of glue), yet many repair shop still offer service to replace battery for them.
>B) the battery is still in production
The industry is kind of converging into using standard "coil cell" battery for their headphone
It's not like wired earbuds/headphones are invincible either. I've had a few wired ones lost due to cable damage, which constitutes more casualties than my wireless inventory, including noticeable charge loss. Of course, there are a lot more cheap wired options with replaceable cables now, thanks to Moondrop and gang.
I really wish the debate was more than jack vs Bluetooth, and more wired fans would consider supporting devices with multiple USB-C ports. Yeah, Sony still puts a jack on Xperias, but most audiophiles note that it's driven by Snapdragon's mediocre integrated DAC, possibly because Sony doesn't want it to compete with Walkmans. Yeah, Valve puts a jack on the Steam Deck, but SD OLED's jack has interference issues that users need to fix with electrical tape or loosening screws. If these devices had two USB ports, then it would be easy to use a better DAC with no interference issues (while also charging with a cable attached to the other port). Having a second USB port would increase device life, and tie wired earbuds/headphones to a more durable standard that's actively developed and backed by legislation. We know this is possible for phones because ASUS ROG Phone has 2 USB ports.
The word you are looking for is not “rent” but depreciation.
Sure, but I am totally willing to make that tradeoff, and when my earbuds die, I buy new wireless earbuds, not permanently switch to some wired headphones I have lying around (mostly just in case, to not be left hanging if my earbuds suddenly die). I didn't know that before I started using wireless stuff, but now I do. Because, you know, I can change my T-shirt, maybe even take a shower, and start cooking something in the kitchen without pausing that audiobook, all while my phone is charging in another room.
I am even cautiously aware that people have lost their hearing, because damn LiOH exploded in their ear. That's much scarier than knowing I will have to buy new earbuds in a couple of years. Didn't stop me using them either.
Thanks god the headphone jacks died in smartphones.
I switched to USB-C soundcard cables which are dirt cheap and survive much much more plug-unplug-cycles. They easily can be replaced.
USB-C is creepy in its own way, because it lets the host computer uniquely identify each pair of headphones. Even my USB-C-to-3.5mm adapter has a USB descriptor field whose key is a UUID and whose value is the adapter's manufacture time in an ISO timestamp down to the second it got programmed at the factory.
The epidemic of people not wearing headphones has been directly caused by the lack of headphone jacks
I see more people with headphones now that BT headphones are everywhere...
I find that people speaking very loudly into their wireless headsets wherever they are and whomever they are with is a bigger nuisance.
When you speak to someone in person, you'd adjust the volume of your voice to the room and the recipient without thinking about doing it. The engineers who built the analogue phone system were aware of this effect, and made it so that you heard yourself in the handset's speaker. The engineers who designed the cell phone standards decided to ignore this so they could do more echo-cancellation.
It is not a big problem when people are speaking into a slate-shaped cell phone, but when people wear headphones that attenuates their own voice, they hear themselves less and speak extra loudly to compensate.
A couple days ago there was a bit of a conversation about this, you might find it interesting. It seems this feeling (to the point of calling it an "epidemic"!) might be caused by the known bias of thinking that earlier times were better:
LOL. People not using headphones in public are narcissistic a-holes, but they’ve been doing it since *long* before headphone jacks went missing from smartphones.
It’s even noted as a problem in the beloved, acclaimed piece of cinema - Star Trek IV : The Voyage Home.
Shame on Airoha. Terrible security pracices.