Your Headphones Could Be Listening: The Bluetooth Vulnerability Nobody Warned You About

Josef Šlerka (Investigace.cz)
Illustration: Gemini, prompt design by Josef Šlerka 2026-03-17

Analyses More From Our Partners

You’re sitting in a private room at your favorite café, discussing sensitive business matters with a partner. If your competitors learned what was said, they could get ahead of you — and you could lose a lot of money. The meeting goes well, and you head home satisfied. But on the way, your boss calls. Someone has leaked the entire conversation to the competition. The contract is gone. You stare at your phone, unable to comprehend what happened. How did they find out? The answer may lie in Bluetooth technology. Someone sitting just a few meters away could exploit a security flaw in your headphones, connect to your phone remotely, and listen to every word.

At the end of last year, researchers Dennis Heinze and Frieder Steinmetz from German security firm ERNW demonstrated this type of attack live at the 39C3 hacker conference in Hamburg.

Here’s how the attack works: the attacker sits nearby with a laptop, scans for Bluetooth signals, and locates the victim’s headphones. They connect without any notification and use RACE protocol (Remote Access Control Engine) commands to identify the chip type and firmware version. They then extract the encryption key — the key that pairs the device with the victim’s phone — from the headphones’ memory. Armed with this key, the attacker can impersonate the headphones entirely. The victim’s phone has no way to tell the difference.

From that point, the attacker has access to everything the headphones do. They can eavesdrop on calls, obtain the victim’s phone number and contact list, silently launch Siri or Google Assistant, and initiate hidden calls. At the 39C3 conference, the researchers demonstrated how to take over WhatsApp and access an Amazon account. The tools needed to carry out the attack were published on GitHub. All you need is a regular laptop.

At the root of the problem is a bug in chips made by Taiwanese company Airoha Technology. The flaw allows any part of the device’s memory to be read or written to — including the sections storing sensitive data and encryption keys. No password or authentication is required. Anyone who connects to the device gains full access.

Researchers disclosed the flaw back in March of last year. Airoha responded relatively quickly with security patches. The bigger problem was the headphone manufacturers themselves, who were slow to communicate or late to release updates. Some headphones from Sony, Bose, JBL, and Marshall use Airoha chips. Most manufacturers have since issued fixes, so users who keep their headphones up to date should be protected.

Ten Seconds is Enough to Pair with Foreign Headphones

Adding to the concern, on January 15, 2026, a separate security flaw came to light — this one related to Google Fast Pair technology. Fast Pair simplifies pairing Bluetooth headphones with an Android phone: bring the headphones close, and a pairing prompt appears on screen.

The findings were published by a team from Belgium’s KU Leuven and its researchers Sayon Duttagupta and Seppe Wyns.

Google Fast Pair explicitly requires that headphones only accept pairing requests while in pairing mode — typically the first few minutes after unboxing or after a deliberate user action. But the researchers found that many manufacturers ignore this requirement entirely — their headphones accept pairing requests at any time, from anyone.

An attacker needs nothing more than a laptop or even a cheap Raspberry Pi. They scan for headphones with Fast Pair enabled and send a pairing request, which the headphones accept without question. Within ten seconds, the device is paired from up to 14 meters away — with no interaction required from the victim. Once paired, the attacker has full control: audio playback, microphone recording, and access to device settings.

But eavesdropping is only part of the threat. Many headphones support Google Find Hub, a system for locating lost devices via nearby Android phones. The researchers found that if a pair of headphones had never been registered to an Android account, an attacker could claim them for their own Google account — and from that point on, silently track the victim’s location through the network of surrounding Android devices. The victim might eventually receive a warning about unwanted tracking, but the alert would point to their own device as the source. Most people would assume it was a glitch. “The risk is ongoing tracking, not a single incident in passing. It’s similar to finding an unknown AirTag following you,” said Sayon Duttagupta, one of the researchers behind the discovery, in a statement to investigace.cz. Of the 25 devices tested across 16 manufacturers, seventeen — or 68 percent — were found to be vulnerable.

Google rated the vulnerability as critical and awarded the researchers a reward of $15,000 (approximately CZK 300,000).

Bluetooth Speaks Danish

What might sound like a hypothetical threat has taken on very real dimensions in Denmark. On January 16, 2026 — just one day after the study was published — Danish military intelligence (FE, Forsvarets Efterretningstjeneste) alerted authorities to the risk of Bluetooth-based eavesdropping. The following day, the National Police IT department circulated an internal memo to officers across the country, instructing them to immediately disable Bluetooth on all devices: mobile phones, tablets, and computers, both personal and work-issued. Car hands-free kits were to be disconnected. Wireless headphones were to be set aside. Effective immediately, and until further notice.

The memo was titled “Slå Bluetooth fra” — Turn off Bluetooth. It explicitly flagged the risk of eavesdropping through Bluetooth headphones and AirPods. The directive applied not only to police officers but to all covered authorities, agencies, and police districts.

Two days later, Danish news outlet Radar published the news.

According to Radar, some districts introduced a full ban, while others interpreted the directive more loosely. Across the country, though, technicians began digging wired headphones out of storage and IT departments rushed to order wired alternatives. When contacted by Radar, FE stated it was “merely passing on a warning from the website whisperpair.eu.” This was not the agency’s own independent assessment, FE emphasized.

Anonymous police sources, however, told Radar a different story. They said the “panic” was not driven by academic curiosity, and that the directive was rooted in a “very specific incident or suspicion.”

Meanwhile, the researchers themselves were caught off guard. Sayon Duttagupta, lead researcher of the WhisperPair project at KU Leuven, told investigace.cz that the team had no prior knowledge of the Danish intelligence service’s response. “No Danish intelligence service or government agency has contacted us in this regard,” he said.

Before FE issued its directive, however, the team had been approached by someone identifying themselves as an employee of the Danish Parliament, who asked technical questions about how WhisperPair works. “We responded by email. We received no feedback, and nothing indicated that what we shared would be used as formal justification for policy action.”

Notably, FE’s directive also explicitly named Apple AirPods — even though AirPods are not impacted by either the Google Fast Pair or Airoha chip vulnerabilities. Researchers have confirmed this. The sweeping ban on Apple devices reflects the logic of institutional policy: it is simpler to issue blanket guidance covering “all Bluetooth devices” than to draft technology-specific restrictions that require constant updates.

Should we be Afraid?

The real-world risk of Bluetooth eavesdropping depends heavily on who you are. All of the attacks described require the attacker to be physically close — within 10 to 14 meters. That said, the tools needed are freely available on GitHub, and a standard laptop is all that’s required.

For the average user, the risk is low. It makes little economic sense for an attacker to target a random person on the street. Far easier attack vectors exist: phishing, malware, rogue Wi-Fi networks.

For journalists, activists, and business executives, the risk is moderate. Someone who repeatedly finds themselves in your orbit — a colleague, a fellow conference attendee, a familiar face at your regular café — could quietly eavesdrop over time.

For government officials, diplomats, and intelligence officers, the risk is high. Nation-states have the resources, patience, and operational capacity to guarantee physical proximity. The Danish “specific incident” fits this profile well. That said, the researchers in Leuven do not have any confirmation that the vulnerability has been exploited in the wild.

Protect People, Not Space

There is one more striking aspect to the Danish response: Bluetooth devices have long been recognized as a security risk in sensitive environments.

It is therefore entirely logical that security agencies routinely require Bluetooth to be disabled. But historically, such rules have always applied to specific locations — secure rooms, classified environments.

American SCIFs classify Bluetooth as high-risk and require that any use within secure facilities be reduced to an acceptable risk level — with the specific method left to individual judgment. The Czech NÚKIB (National Cyber and Information Security Agency) mandates that all wireless technologies be disabled in classified spaces at every level of classification, including the lowest. The British police recommend turning off Bluetooth during counterterrorism operations.

But once outside a secure area, personnel have always been free to use their devices normally. Denmark is now different. For what appears to be the first time in any NATO or EU country, the ban extends to all work-related Bluetooth use — in vehicles, at home, and on the move. No comparable regulation exists elsewhere in the alliance.

As of late February 2026, the directive remains in effect.

Josef Šlerka

Josef Šlerka has worked as a data analyst and reporter at Czech Centre for Investigative Journalism since 2021. He used to head the Czech Fund for Independent Journalism (NFNZ). He is also the head of the Department of New Media Studies at Charles University in Prague.