Patch Urgent: Millions of Audio Devices Vulnerable to Hacking
▼ Summary
– Google’s Fast Pair protocol, designed for easy Bluetooth connections, has been found to allow hackers to easily connect to and hijack millions of compatible audio devices.
– Researchers from KU Leuven University discovered vulnerabilities in 17 accessories from 10 companies, including Sony and Google, enabling attacks they call “WhisperPair.”
– A hacker within Bluetooth range can silently pair with a device to take over audio, inject sound, or activate the microphone to listen to the victim’s surroundings.
– Some devices from Google and Sony that use the Find Hub location feature can be exploited for precise, stealthy tracking of a user’s location.
– While Google and vendors have released security updates, the researchers warn that many vulnerable devices will remain at risk because users rarely update their audio accessories.
A critical security flaw has been exposed in a popular wireless standard, putting countless Bluetooth audio devices at risk of silent takeover. The vulnerability lies within Google’s Fast Pair protocol, a system designed for effortless one-tap connections between gadgets and Android or ChromeOS devices. Security experts have now demonstrated that this same convenience can be exploited by malicious actors, allowing them to hijack headphones, earbuds, and speakers from hundreds of millions of users with alarming ease.
A team from Belgium’s KU Leuven University has identified a suite of vulnerabilities, which they term WhisperPair, across 17 audio accessories from major brands. These include products from Sony, Jabra, JBL, Marshall, Xiaomi, Nothing, OnePlus, Soundcore, Logitech, and Google itself. The attack requires an intruder to be within Bluetooth range, typically up to 50 feet. From there, they can silently pair with a target device without any interaction or alert to the legitimate owner.
The potential consequences of a successful hack are severe and invasive. An attacker could seize control of audio playback, disrupting music or phone calls. They could inject their own audio at any volume directly into a victim’s ears. Perhaps most disturbingly, they could undetectably activate the microphone to eavesdrop on private conversations and ambient sounds. For certain Google and Sony devices that integrate with Google’s Find Hub geolocation service, the flaw also enables precise, stealthy location tracking of the device’s owner.
Researchers describe a chillingly simple attack scenario. “You’re walking down the street with your headphones on, listening to some music,” explains KU Leuven researcher Sayon Duttagupta. “In less than 15 seconds, we can hijack your device. I can turn on the microphone and listen to your ambient sound. I can inject audio. I can track your location.” Once access is gained, the attacker essentially owns the peripheral, granting them broad control over its functions.
In response to these findings, Google has issued a security advisory and worked on patches since the researchers privately disclosed the issue in August. The company has reportedly notified affected vendors, many of whom have since released security updates for their products. However, a significant problem remains: most consumers rarely, if ever, update the firmware on their Bluetooth audio accessories. This widespread lack of patching means the WhisperPair vulnerabilities could linger in millions of devices for the foreseeable future, leaving users unknowingly exposed to potential surveillance and harassment.
(Source: Wired)
