As a user of Apple devices, you feel relatively safe – Apple repeatedly emphasizes the importance placed on system stability, data security and privacy in systems and app stores. A presentation at the 39th Chaos Communication Conference (39C3) shows how big the challenge is to keep this promise. While examining a widely used Bluetooth chip, security researchers have discovered a communication channel that is insufficiently secured. This allows extensive access to paired devices. The security gap was revealed to researchers at the Heidelberg company ERNW when they wanted to find out more about the widely used Airoha chips. They discovered an undocumented interface called RACE. For example, it is used to read status information from Bluetooth devices, update firmware and much more. During their experiments, they found that no coupling was necessary for communication via RACE. So you could get information from any Bluetooth headphones within range, such as what music is currently playing. Theoretically, an eavesdropping attack is even possible – as long as a microphone is integrated.
take on identity
The RACE protocol allows extensive device details to be read from the headphones. This also includes all the information necessary to contact a paired device, such as an iPhone. An attacker can use this information to change the identity of their own Bluetooth transmitter and trick a smartphone into thinking it is the paired Bluetooth device. The researchers were then able to trigger calls or Siri requests using the Hands-free Protocol (HFP). In their talk, they demonstrated how they were able to use the RACE protocol to steal WhatsApp identity by successfully tapping authentication via audio call.
Difficult to update
The discovery occurred in early 2025; The researchers initially reported the discovered security gaps to Airoha. Communication with the Taiwanese chip manufacturer was initially slow, so the researchers contacted the brands that used Airoha chips. Manufacturers such as Beyerdynamic, Bose, Sony, Jabra, JBL and Marshall are there – but not to the same extent. Many manufacturers responded and provided firmware updates. However, Airoha chips are also used in many no-name products, for example in AirPod replicas. Compiling an overview of patched and unpatched devices proved to be an impossible task for researchers because manufacturers like Sony refused to communicate.
AirPods and Beats not affected
In a blog post, the researchers describe the details of the discovery and disclose communication with manufacturers. If you want to test it yourself, you can download the RACE toolkit from GitHub. Apple’s own headphones and earphones are not affected by this gap because the company uses its own chips for wireless communication. However, since the Hands-Free Protocol is a cross-manufacturer standard, paired devices such as iPads, Macs and iPhones are indirectly affected.
Delete unused pairings
For end users, the researchers recommend regularly updating firmware updates for all Bluetooth devices and removing devices that are no longer in use from the trusted list. This can be done on the iPhone and iPad via the Settings app: All linked headphones, keyboards and cameras appear in the “Bluetooth” entry. Use the blue info button to go to the details. Use “Ignore this device” to remove it from the list.
Occasionally tidying up the list of paired Bluetooth devices increases security.
