One of the researchers here.
Many people seem to prefer text to videos, which I sympathize with.
So please excuse me hijacking the top comment with links to our blog post and white paper:
Did you look into whether the spoofed device can also be "upgraded" to be used as an HID device, like a mouse or keyboard? That upgrade would be several CVEs against the OS vendors.
That would make the attacks potentially silent, since the attacked could simulate keypresses to dismiss notifications, or can at least keep the target unable to respond by spamming home/back or pressing power and simulating a swipe to shutdown.
I believe this would in any case require repairing and the new functionality would be visible in the pairing UI? I would be surprised if a device once paired as a headset can suddenly start acting like a keyboard if it feels like it.
EDIT: Covered in the talk at 33min. No keyboard but the Hands-Free Profile would allow you to place calls and interact with a voice assistant if one is enabled.
During our research we discovered three vulnerabilities (CVE-2025-20700, CVE-2025-20701, CVE-2025-20702) in popular Bluetooth audio chips developed by Airoha. These chips are used by many popular device manufacturers in numerous Bluetooth headphones and earbuds.
The identified vulnerabilities may allow a complete device compromise. We demonstrate the immediate impact using a pair of current-generation headphones. We also demonstrate how a compromised Bluetooth peripheral can be abused to attack paired devices, like smartphones, due to their trust relationship with the peripheral.
Examples of affected vendors and devices are Sony (e.g., WH1000-XM5, WH1000-XM6, WF-1000XM5), Marshall (e.g. Major V, Minor IV), Beyerdynamic (e.g. AMIRON 300), or Jabra (e.g. Elite 8 Active).
