Bluetooth Headphone Jacking: a Key to Your Phone [video]
Key topics
A recent video presentation has sparked a heated discussion around Bluetooth headphone security, revealing a vulnerability that allows attackers to connect to headphones via Bluetooth and potentially access sensitive data. Commenters are dissecting the issue, with some pointing out that the problem lies not with Bluetooth itself, but with a specific chip manufacturer's decision to ship a wireless debug interface with no authentication. The conversation has also veered into a debate about the trade-offs between convenience and security, with some users sharing their own experiences of the hassles of using wired earbuds. As the discussion unfolds, a surprising consensus is emerging: the "race to the bottom" in Bluetooth development has left significant security gaps.
Snapshot generated from the HN discussion
Discussion Activity
Very active discussionFirst comment
1h
Peak period
104
0-12h
Avg / period
20
Based on 160 loaded comments
Key moments
- 01Story posted
Jan 1, 2026 at 6:17 AM EST
8 days ago
Step 01 - 02First comment
Jan 1, 2026 at 7:46 AM EST
1h after posting
Step 02 - 03Peak activity
104 comments in 0-12h
Hottest window of the conversation
Step 03 - 04Latest activity
Jan 5, 2026 at 8:43 PM EST
3d ago
Step 04
Generating AI Summary...
Analyzing up to 500 comments to identify key contributors and discussion patterns
Want the full context?
Jump to the original sources
Read the primary article or dive into the live Hacker News thread when you're ready.
> The identified vulnerabilities may allow a complete device compromise. We demonstrate the immediate impact using a pair of current-generation headphones. We also demonstrate how a compromised Bluetooth peripheral can be abused to attack paired devices, like smartphones, due to their trust relationship with the peripheral.
> This presentation will give an overview over the vulnerabilities and a demonstration and discussion of their impact. We also generalize these findings and discuss the impact of compromised Bluetooth peripherals in general. At the end, we briefly discuss the difficulties in the disclosure and patching process. Along with the talk, we will release tooling for users to check whether their devices are affected and for other researchers to continue looking into Airoha-based devices.
[...]
> It is important that headphone users are aware of the issues. In our opinion, some of the device manufacturers have done a bad job of informing their users about the potential threats and the available security updates. We also want to provide the technical details to understand the issues and enable other researchers to continue working with the platform. With the protocol it is possible to read and write firmware. This opens up the possibility to patch and potentially customize the firmware.
> Step 1: Connect (CVE-20700/20701) The attacker is in physical proximity and silently connects to a pair of headphones via BLE or Classic Bluetooth.
> Step 2: Exfiltrate (CVE-20702) Using the unauthenticated connection, the attacker uses the RACE protocol to (partially) dump the flash memory of the headphones.
> Step 3: Extract Inside that memory dump resides a connection table. This table includes the names and addresses of paired devices. More importantly, it also contains the Bluetooth Link Key. This is the cryptographic secret that a phone and headphones use to recognize and trust each other.
> Note: Once the attacker has this key, they no longer need access to the headphones.
> Step 4: Impersonate The attacker’s device now connects to the targets phone, pretending to be the trusted headphones. This involves spoofing the headphones Bluetooth address and using the extracted link-key.
> Once connected to the phone the attacker can proceed to interact with it from the privileged position of a trusted peripheral.
[1] https://news.ycombinator.com/item?id=46454740
It’s a messy standard and we shouldn’t be surprised that the race to the bottom has left some major gaps.. though Sony WH1000’s are premium tier hardware and they have no real excuses..
I always wondered how people could justify the growth of the bluetooth headphone market in such a way.. I’m guilty of buying into it too (I own both Airpods Pro’s and the affected Sony WH1000-XM5) but part of me has always known that bluetooth is just hacks on hacks… I allowed myself to be persuaded due to popularity. Scary.
So who is everyone, in your meaning?
https://news.ycombinator.com/item?id=25950845
https://news.ycombinator.com/item?id=45798439
https://news.ycombinator.com/item?id=34667522
https://news.ycombinator.com/item?id=43144607
But sometimes it's a large inconvenience
Example: if I'm using my laptop for work but at a slightly longer distance (think, using external monitor/keyboard) then it gets annoying (cord has to hang from the connection, or it gets between you and the keyboard, etc)
It tells more about human nature than about a company.
One thing less to worry about.
The whole tcp/ip, wifi stack is at least a magnitude more complex than bluetooth one, and the wifi radio generally consumes more power.
and
"One less thing to worry about"
These are not compatible statements. :)
Is it scary? Bluetooth is wildly convenient, and mostly works most of the time. There are definite software issues, and there are security issues, but for most of us, we're not going to run into them that often. (Well, ok - maybe not for most of the people on this site.)
I'm going to continue using my bluetooth headphones, because the odds of a nefarious hacker with a linux laptop attacking me directly are wildly low. In terms of security, my time & money would be better spent buying a steering0-wheel-lock-bar for my car, or a mechanical timer that will turn the lights on & off in my house randomly at night.
Alright, so when is OpenBSD patching out USB support? Such a giant exploit vector.
A lot of Apple's strategic choices are driven by products that take 5, 10, or sometimes 20 years to realize. For example, the forthcoming foldable iPhone (and the proving ground for many related decisions, the iPhone Air) was on roadmaps literally a decade before a decision like this reverberates through released products.
Putting a high-quality DAC in a dongle wasn't a terrible solution (many phones with analog jacks have poor ones), and today hundreds of headphones¹ courageously have native USB-C support.
¹ https://www.bhphotovideo.com/c/products/usb-c-headphones/ci/...
“PC guys are not going to just figure this out. They’re not going to just walk in.” — Palm CEO Ed Colligan, 2006, https://www.engadget.com/2006-11-21-palms-ed-colligan-laughs...
“A wizard is never late, nor is he early, he arrives precisely when he means to.” — Gandalf the Gray
:)
And it just went on, Apple weathered the critics, the other makers also dropped it, and at some point there was just nowhere to go for anyone still wanted a 3.5 jack with a decent phone.
It's not a good solution though. In particular I find the USB-C port gets worn out pretty quickly. Its also easy to lose the dongle and of course it's more complicated to setup. (I'm not sure how to articulate the "it's more complicated" part. I think adding the dongle pulls the action of "plug in headphones" from something you can do without attention to something that requires attention, and I don't think that.)
This is really where it hits. Every other device has a proper jack, so the dongle needs to be kept somewhere every other time.
I listen to music on earbuds on my phone on the go, a laptop at a cafe, and on my computer at my desk - all these have USB-C.
Even modern DAPs like Sony Walkman have USB-C as they are typically based on Android.
That leaves all the "legacy" devices that only a small minority use - home hi-fi stacks, vinyl record players, iPods, CD players, minidisc players?
Same for Google's, though it's slightly less good iirc.
They aren't perfect - the maximum volume and impedance are pretty low so you do need an amp to electrically drive insensitive headphones.
Imagine the same argument for USB-C: at some point phones will be too slim to allow for that port, should every maker start dropping it right now ? That would be nonsense.
On adapters, it's no panacea: you still want the USB port available. Split adapters exist, but most of them only allow for charging, and the charging rate is also usually miserable.
You could say people who appreciated that should just eat it and feel in their bones how much the world doesn't care about them, that would be fair. Now staying sour about it is also one's prerogative.
PS: The biggest part for me is every other devices I own still having a pretty good jack. Laptops still have it, game consoles, VR headsets, TVs, high fidelity portable players, cars etc. So keeping around a very good headphone pair is still an enjoyable thing, except for the damn phones. They're the only one needing a dongle, and regardless of the price that sucks.
I see it through the same lens as the cassette players like the Toshiba KT-AS10 that left part of the cassette outside for the absolute minimal footprint:
https://qth.tzpfsokx.cloud/index.php?main_page=product_info&...
PS: there is a mini headphone jack standard, but I'm not sure it's any good. At least it would clear the DAC problem, just still need a dongle.
Just because people think it looks neater than the more reasonable alternative.
It’s annoying to have non-mainstream preferences in an area where economies of scale mean every product needs to have mass market appeal. But you might as well complain about the tide coming in.
But in terms of consumers not caring, yes:
https://www.androidauthority.com/ting-headphone-jack-survey-...
It's objectively not a popular feature or something the vast majority of consumers are looking for.
Most people prefer Bluetooth because you don't need to deal with annoying wires getting tangled, ripping your earbuds out, etc.
Again, it's not that the market asked for the jacks to go away, they just don't care. And when there's something that consumers don't care about, companies tend to remove it. The jack takes up volume. A small amount, but on phones every cubic millimeter counts. And it's one more thing that can break.
Thanks for this summary. I feel sad to be in a minority who prefer wired headphones. For me it's because all their failures you listed are issues I can understand and mitigate. But when bluetooth goes wrong, what do I do? Usually:
1. turn off both devices and then turn them back on again 2. try to reconnect 3. if step 2 failed, give up and try again another day
I don't learn anything. I feel infantilised and helpless.
The survey that you link is built on the premise that "you can pick only three things at most" as a manipulative trick. And since the headphone jack doesn't make it to the top 3, you use it as claim that consumers do not care about the headphone jack. This is not reasoning or stating objective facts, this is just a cop-out.
My claim is that the vast majority of consumers still need at some point in their use of their phone a way to plug 3.5 jacks into their phones somehow, and just put up with the enshittified new way: either buy some bluetooth adapter dongle, or a USB-C low quality DAC, or just give up and find a different solution.
[1] https://www.wired.com/gallery/best-headphone-jack-phones/
It's the same as glued batteries, unrepairable phones. Few customers making it an absolute criteria for their phone choice still doesn't make mean the majority sees it as a positive thing nor they agree. At the time on the android side, only Pixel and Samsung's lines were serious about the camera or international NFC support, moving to other phones just for the jack came with huge compromises that had nothing to do with the jack itself.
Feature combinations aren’t immutable facts of nature. Manufacturers make a conscious choice about what to include. If a good camera and international NFC combined with a headphone jack would attract a lot of buyers, don’t you think Samsung or Google would make a phone like that to better compete?
It’s nothing to do with “democratic ideal.” It’s about understanding that companies want to make money and if a feature is desirable, they will leverage that in their quest to make money. Some may fail to understand what their customers want, but all of them? It’s not plausible.
Is it ?
We have a paper trail of lawsuits telling another story.
There isn't some grand conspiracy to keep headphone jacks out of phones. Why would they do that? You think Samsung or Google wouldn't jump at the chance to sell more phones by putting in a headphone jack, if that would actually help them compete? No, the reason few phones have one is because few people care about it, at least enough to influence their purchasing decisions.
There are plenty of examples of market failures in the world where lack of competition or information prevents consumer preferences from being reflected in product offerings. But smartphone hardware is definitely not one of them.
If you want actual quality... be ready to shell out a bit of money [1].
[1] https://www.amazon.de/Qudelix-Bluetooth-Adaptive-unsymmetris...
Adding an external sound card introduces variables outside of manufacture control, the quality, latency, and drive power all at the mercy of some random integrator.
My phone is easily thick enough to accommodate a 3.5mm port, and it can't be that difficult to waterproof such a jack, which should also make reasonable cleaning easy if it's ever required.
When I use my Sony XM4 Bluetooth headphones, the latency is noticeable. Watching videos, the lips don't match the audio. Playing games, I see things before I hear them. It's probably in the ~150-200 ms range for latency.
While gaming, I use a different set of wireless headphones that use a proprietary dongle. If they have any latency at all, I don't notice it.
Also of note is that I used to care a lot about sound quality, and owned very expensive wired IEMs until 2 years ago. I was annoyed when I switched to a phone without a jack, but now I’m used to it and don’t particularly miss it.
If we're going to pick nits, no it didn't. And the fact that I'm in a minority (which I definitely am) is what's irrelevant. The comment seemed to be doubting the existence of this preference, and I gave an example of its existence.
Funny that there were always some people here pushing bt audio as "the future", whom I can only assume were the technically shallow but very opinionated people that would die on the smallest technical hills
I switched to USB-C soundcard cables which are dirt cheap and survive much much more plug-unplug-cycles. They easily can be replaced.
When you speak to someone in person, you'd adjust the volume of your voice to the room and the recipient without thinking about doing it. The engineers who built the analogue phone system were aware of this effect, and made it so that you heard yourself in the handset's speaker. The engineers who designed the cell phone standards decided to ignore this so they could do more echo-cancellation.
It is not a big problem when people are speaking into a slate-shaped cell phone, but when people wear headphones that attenuates their own voice, they hear themselves less and speak extra loudly to compensate.
https://news.ycombinator.com/item?id=46424228
Transition period was definitely rough, but nowadays bluetooth headphones are substantially better than they were in the past, and it's quite freeing to not have to deal with wires.
There are definitely benefits to wired headphones, such as better audio quality and no battery life to worry about, but for those cases there are USB-C DACs.
You don't really own a wireless headphone. You can see it as a rent, or an ownership that loose its capability when in use.
This is simply wrong. Apple airpod was not designed to replace battery(they use tons of glue), yet many repair shop still offer service to replace battery for them.
>B) the battery is still in production
The industry is kind of converging into using standard "coil cell" battery for their headphone
I really wish the debate was more than jack vs Bluetooth, and more wired fans would consider supporting devices with multiple USB-C ports. Yeah, Sony still puts a jack on Xperias, but most audiophiles note that it's driven by Snapdragon's mediocre integrated DAC, possibly because Sony doesn't want it to compete with Walkmans. Yeah, Valve puts a jack on the Steam Deck, but SD OLED's jack has interference issues that users need to fix with electrical tape or loosening screws. If these devices had two USB ports, then it would be easy to use a better DAC with no interference issues (while also charging with a cable attached to the other port). Having a second USB port would increase device life, and tie wired earbuds/headphones to a more durable standard that's actively developed and backed by legislation. We know this is possible for phones because ASUS ROG Phone has 2 USB ports.
I am even cautiously aware that people have lost their hearing, because damn LiOH exploded in their ear. That's much scarier than knowing I will have to buy new earbuds in a couple of years. Didn't stop me using them either.
https://biggaybunny.tumblr.com/post/166787080920/tech-enthus...
[0] https://youtu.be/BD8Nf09z_38 (Timestamp 18:40)
Out of all the people I would trust on the matter, Kamala Harris doesn't certainly end up at the top of my list, for reasons such as this one: https://youtu.be/O2SLyBL2kdM?si=Zq-EN8zxj4Y_UCwI
You also don't need to be in classified meetings to understand that Bluetooth/ BLE (and specifically the way most vendors implement the spec) is not as secure as other more battle-tested technologies
There's an interesting article from Wired [1] about this, although some interesting comments from the engineers working on BT stacks are far more interesting. It seems like most of the manufacturers do not create spec-compliant devices, and that the tests from the certification are just poor.
I'd love to hear more from an expert on the topic, but this looks to be the consensus.
[1]: https://archive.ph/6201V
Some points: * there's a real lack of quality, up-to-date documentation. I would have thought that at least on Linux you'd find some documentation, but most of it seems to be "RTFS".
* BLE is in general very unfamiliar to most developers. There's no client and server, there's central and peripheral. GATT profiles are a mix between TCP connections and binary REST-ish interface.
* Encryption/authentication is possible, but depending on the manufacturer's API/quality of documentation it's not really apparent a. how to select a secure connection method b. how to even check if and which authentication/encryption was chosen
* Coming from the previous point, many BLE devices have the same generic GATT profiles, sometimes with the same sample data. This looks like a lot of BLE devices just copy&pasted sample code from the manufacturer and added the minimal changes "to make it work"
* It's probably really easy to do passive/active fingerprinting to find out the manufacturer and/or chip version used in a device. Default services, ordering of advertising options etc
* Many BLE devices are not conformant. Uninitialised name fields with garbage in them ("Device Name: WHOOP\020��=u5״\023n"), manufacturers using random identifiers that clearly don't belong to them
* when doing passive BLE sniffing: the biggest obstacle isn't getting data. It's how to filter it. One of the most useful filters of the nRF Connect app for android is to filter out all advertisement packages for apple and ms devices, to cut down the overwhelming amount of such devices
I definitely remember lots of folk security advice to keep bluetooth off on your phone back when smartphones were new (nobody does that now though, and Android auto-enables it these days).
There hasn't been a POTUS or VPOTUS since Carter that had a technical background, so obviously none of them would be authoritative on such topics.
However the individual in question is not delusional or conspiratorial, so there's no reason to imagine they are not (lo-fi) repeating advice or restrictions received from extremely well-informed sources.
Jimmy Carter was a very smart guy, but he was not a nuclear engineer.
https://atomicinsights.com/jimmy-carter-never-served-nuclear...
But he was trained to operate nuclear facilities on subs, and with a few more months of service he would have qualified for the label "nuclear engineer" without any asterisks...
Tha National Academy of Engineering says:
> A graduate of the U.S. Naval Academy and a trained nuclear engineer
https://www.nae.edu/19579/31222/20054/327746/331204/Jimmy-Ca...
US Navy history says:
> He served as executive officer, engineering officer, and electronics repair officer on the submarine SSK-1. When Admiral Hyman G. Rickover (then a captain) started his program to create nuclear-powered submarines, Carter wanted to join the program and was interviewed and selected by Rickover. Carter was promoted to lieutenant and from 3 November 1952 to 1 March 1953, he served on temporary duty with the Naval Reactors Branch, U.S. Atomic Energy Commission, Washington, D.C., to assist "in the design and development of nuclear propulsion plants for naval vessels."
> From 1 March to 8 October 1953, Carter was preparing to become the engineering officer for USS Seawolf (SSN-575), one of the first submarines to operate on atomic power. However, when his father died in July 1953, Carter resigned from the Navy and returned to Georgia to manage his family interests.
https://www.history.navy.mil/browse-by-topic/people/presiden...
I'm going with "functionally pretty darn close", and the details are a bit ambiguous and/or complicated.
You can persist in whatever version of it you prefer, however, it is no interest of mine.
Even before this report, I had a vague feeling that there were probably some security issues with BT headsets, and now it's confirmed in a very concrete way. So whether she is stupid or not, Kamala was right about this.
I had files in a cabinet, now they are digital. And most often also on a cloud drive, which is metaphysical in some sense. For most it is indistinguishable from magic.
There is little encryption being done by bluetooth, while wifi, many layers add their own encryption to the data.
* https://arxiv.org/pdf/2108.07190
Because he also knows a thing or two about technology.
[0] Dude is decades away from retirement, not even close to "Boomer"
This was just shown at the 39C3 in Hamburg, few days back.
Common (unpached) Bluetooth headsets using Airoha's SoCs can be completely taken over by any unauthenticated bystander with a Linux laptop. (CVE-2025-20700, CVE-2025-20701, CVE-2025-20702)
This includes firmware dumps, user preferences, Bluetooth Classic session keys, current playing track, ...
> Examples of affected vendors and devices are Sony (e.g., WH1000-XM5, WH1000-XM6, WF-1000XM5), Marshall (e.g. Major V, Minor IV), Beyerdynamic (e.g. AMIRON 300), or Jabra (e.g. Elite 8 Active).
Most vendors gave the security researchers either silent treatment or were slow, even after Airoha published fixes. Jabra was one of the positive outlier, Sony unfortunately negatively.
What is exciting, even though the flaws are awful, that it is unlikely for current generation of those Airoha bluetooth headsets to change away from Aiorha's Bluetooth LE "RACE" protocol. This means there is great opportunity for Linux users to control their Bluetooth headsets, which for example is quite nice in an office setting to toggle "hearthrough" when toggling volume "mute" on your machine.
RACE Reverse Engineered - CLI Tool: https://github.com/auracast-research/race-toolkit
I feel like this should receive state-level attention, the remote audio surveillance of any headset can be a major threat. I wonder what the policies in countries official buildings are when it comes to Bluetooth audio devices, considering that Jabra is a major brand for conference speakers, I'd assume some actual espionage threats.
Speaking for myself, I have very little patience for technical videos, so I don't believe I've ever upvoted a YouTube submission.
One second thought I think this is called a transcript...
I'm not sure anyone intentionally did this, but there were several poor decisions involved. It sounds like the upstream vendor shipped sample code without auth, assuming implementers would know they needed to secure a privileged device management interface, and said implementers just copied the sample and shipped it.
All it really takes is some engineer missing an if-statement to check that the connection is bonded before processing the packets.
[0] https://en.wikipedia.org/wiki/Tempest_(codename)
[1] https://en.wikipedia.org/wiki/Van_Eck_phreaking
While I don't recall Sony issuing an advisory, I believe the users of their app would have started getting update notifications since they (quietly) released firmware updates.
> This means there is great opportunity for Linux users to control their Bluetooth headsets, which for example is quite nice in an office setting to toggle "hearthrough" when toggling volume "mute" on your machine.
I think most vendors are using custom services with their own UUIDs for settings such as this.
Regardless, I believe there are open client implementations for some of the more popular devices. Gadgetbridge comes to mind in regards to Android, not sure about any Linux equivalent.
That doesn't sound very serious if they're exposed, is it? Can it be used to eavesdrop my conversation if I'm speaking through the headphone
It can toggle the hands-free mode and listen to whatever is being talked, you'd notice that it has switched to the mode though - but if you're headphones are powered on and you're not listening to in they can be used for eavesdropping.
During the talk they both demonstrate listening to the microphone and also receiving a WhatsApp 2FA call.
Of course, even regular omnidirectional Bluetooth antennas are plenty to eavesdrop through a hotel room door, from the hallway outside a conference room, etc.
An attacker can also passively record all the packets in an area (Ellisys allows recording all channels at the same time), and then actively gather link keys using this attack at any time to decrypt the stored conversations.
What I'm getting at is that I think the risk varies depending on how often you leave the headset paired; for example, if the headphones are over-ear, those are more prone to not be turned off --- and remain connected; thus, a greater chance of success for establishing a BlueTooth classic connection without getting noticed and performing the WhatsApp account take-over until they listen to "I'm gonna take a shower, honey!" in the distance.
Blog: https://insinuator.net/2025/12/bluetooth-headphone-jacking-f...
Paper: https://ernw.de/en/publications.html
That would make the attacks potentially silent, since the attacked could simulate keypresses to dismiss notifications, or can at least keep the target unable to respond by spamming home/back or pressing power and simulating a swipe to shutdown.
It would be an vulnerability on the host stack to accept that.
That would suggest that further exploitation really depends on the paired device, right?
“I know I've been teased about this, but I like these kinds of earpods that have the thing [pointing to the wire] because I served on the Senate Intelligence Committee. I have been in classified briefings, and I'm telling you, don't be on the train using your earpods thinking somebody can't listen to your conversation.”
https://www.aol.com/kamala-harris-warns-against-wireless-150...
She was probably briefed repeatedly about this as a member of that committee.
Here's one example:
> Headphones are wired headphones (i.e. not wireless) which can be plugged into a computing device to listen to audio media (e.g. music, Defense Collaboration Services, etc.).[0]
[0]: https://dl.dod.cyber.mil/wp-content/uploads/stigs/pdf/2016-0...
The classified part would be the intelligence that the wireless protocol is compromised. I don't see that in your document.
Fun fact: There are at least two applications that reverse engineered AirPods' communication protocol for custom controls - AndroPods from 2020 [1] and LibrePods from 2024 [2].
But... mainstream Android has a bug open in their Bluetooth stack for well over a year now that prevents issuing the commands, meaning to actually use the app you need root rights [3].
[1] https://play.google.com/store/apps/details?id=pro.vitalii.an...
[2] https://github.com/kavishdevar/librepods/tree/main
[3] https://issuetracker.google.com/issues/371713238
I'm not surprised Jabra acted quickly. They mainly sell too enterprise which generally care very much about security. Sony is more a consumer mfg now.
57 more comments available on Hacker News