Call Information Leaking from Xiaomi Wireless Earphones
Security Vulnerabilities Found in Some Redmi Buds Pro Series
Remote Attacks Possible Without Pairing...Users Urged to Exercise Caution
Some models of Xiaomi's wireless earphones "Redmi Buds," which have gained popularity for their low prices and "value for money" image, have been found to contain security vulnerabilities that could allow call-related information to be leaked externally even without separate pairing. As products sold in Korea are also affected, users are urged to exercise particular caution.
According to the industry on the 10th, the Korea Internet & Security Agency (KISA) recently issued a security advisory stating that security vulnerabilities had been identified in certain models of Xiaomi's Bluetooth earphones in the "Redmi Buds" series, and called on users to be cautious.
The affected products are a total of four models: Redmi Buds 3 Pro, 4 Pro, 5 Pro, and 6 Pro. KISA stated that an information disclosure vulnerability (CVE-2025-13834) and a denial-of-service (DoS) vulnerability (CVE-2025-13328) had been found in these products, and recommended that, "Since no security patch is being provided, users should disable the Bluetooth function when not using the earphones, especially in crowded public places."
The CERT Coordination Center, a U.S. nonprofit security organization, also requested special caution last month, stating that information leakage and denial-of-service vulnerabilities had been identified in some models of the Redmi Buds series.
Attack possible without pairing...concerns over leakage of call information
According to the two organizations, the vulnerabilities identified this time allow an attacker within Bluetooth range to send malicious traffic and remotely attack the device without any separate pairing or authentication process. In particular, the most serious issue is that call-related metadata can be leaked externally.
The information disclosure vulnerability (CVE-2025-13834) exploits a behavior in which the device returns an uninitialized memory buffer as-is when it receives an abnormal TEST command. Through this, an attacker can steal sensitive data, including critical information such as the phone number of the call counterpart. If the attack is carried out during a call or immediately after a call ends, the related information can be exposed as-is.
Models sold in Korea included...user caution required
The denial-of-service vulnerability (CVE-2025-13328) involves an attacker sending a large number of commands at once to excessively consume device resources, which can cause the earphones to malfunction or lose connection with the user's device.
Xiaomi's Redmi Buds Pro series is regarded as a representative "value for money" wireless earphone line that emphasizes low prices and performance. It is also a well-known product in Korea, and the latest model, Redmi Buds 6 Pro, is currently being sold for around 80,000 won on platforms such as Naver Smart Store in Korea.
Regarding these vulnerabilities, Xiaomi is reportedly planning to carry out updates in cooperation with its suppliers. It is also known that products released recently have already had the updates applied and are therefore not affected by this issue.
Meanwhile, these vulnerabilities were discovered and reported by the research team of Korea University professor Lee Heejo.
© The Asia Business Daily(www.asiae.co.kr). All rights reserved.
