Security firm Sentinel One takes a deeper look at CVE-2025-20701 here.
Heinze and Steinmetz said last year that the full chain of attacks would allow attackers to access call history and contacts and even do other malicious things, including dialing arbitrary numbers. Many of these capabilities depend on the specific devices being paired with, as the functionality built into them varies from platform to platform.
Devices affected by the Airoha vulnerabilities are not alone. In January, the researchers announced WhisperPaira series of vulnerabilities that allow an attacker to steal connected Bluetooth devices through Google Fast Paira proprietary protocol owned by the company. In addition to eavesdropping, attackers can use WhisperPair flaws to determine the geolocation of devices. The vulnerabilities affect more than a dozen devices from 10 manufacturers, including Sony, Nothing, JBL, OnePlus and Google itself.
There are few reports of Bluetooth vulnerabilities like this being actively exploited in the wild. The complexity of such attacks is often high, and the attacker must always remain within Bluetooth range of the target while using the exploit. People who think they may be the target of such attacks should turn off Bluetooth on devices when not needed and be aware of the risks when Bluetooth is enabled.
