Google Fast Pair Devices Vulnerable to “WhisperPair” Hack
▼ Summary
– Google’s Fast Pair technology for Bluetooth devices contains a vulnerability called WhisperPair that allows remote device hijacking.
– This security flaw affects many popular device brands, including Sony, JBL, and Google, and Google has notified partners to create patches.
– An attacker can gain control of a vulnerable device in about 10 seconds from up to 14 meters away without being noticed.
– Once connected, the attacker can interrupt audio, play their own audio, access the microphone, and track the device’s location.
– This enables an attacker to listen to conversations and track a person’s movements through the compromised Bluetooth device.
A widely used Bluetooth pairing technology designed for convenience may inadvertently open a door for eavesdropping and tracking. Security experts have identified a critical flaw in Google’s Fast Pair system, a feature that simplifies connecting headphones and earbuds to phones. This vulnerability, named “WhisperPair,” enables a nearby attacker to remotely hijack compatible audio devices, potentially turning them into tools for surveillance.
The issue stems from how Fast Pair handles the initial handshake between a new device and a smartphone. Researchers from a Belgian university found that the protocol does not adequately secure this process, allowing a malicious actor to intercept and force a connection. The attack works at distances up to 14 meters, practically the full range of Bluetooth, and can establish control in a median time of just ten seconds. This means someone could execute the hack from a crowded cafe or a busy street without ever approaching their target.
The vulnerability impacts a broad range of popular audio devices from at least ten manufacturers, including Sony, JBL, Nothing, OnePlus, and Google’s own Pixel Buds. It’s important to note that a user’s phone does not need to be a Google product for their headphones to be at risk; the flaw resides in the Fast Pair protocol itself. Google has been notified and has informed its manufacturing partners, but the responsibility for issuing firmware updates falls to each individual company. A comprehensive list of affected models is available on the researchers’ public disclosure site.
Once an attacker successfully pairs with a vulnerable device, they gain several concerning capabilities. They can disrupt audio playback or inject their own sounds. More alarmingly, the hack can enable microphone access and location tracking. This transforms a simple pair of earbuds or a Bluetooth speaker into a potential listening device, allowing an attacker to monitor private conversations. The compromised device can also broadcast its location, enabling someone to physically track the wearer’s movements.
The researchers have released a demonstration video illustrating how easily WhisperPair could be deployed in a real-world scenario, following an individual and listening in on their discussions. While no active exploits have been reported in the wild, the proof-of-concept highlights a significant privacy risk. Users of Fast Pair-enabled devices are advised to check with their manufacturer for security patches and consider disabling Fast Pair in their Bluetooth settings until a confirmed update is available, relying instead on standard manual pairing methods for greater security.
(Source: Ars Technica)
