Affiliate links on Android Authority may earn us a commission. Learn more.
Update your headphones: Fast Pair vulnerability could let attackers track your location
22 hours ago
- Researchers have found a vulnerability in Fast Pair implementation that could let bad actors connect to audio devices to eavesdrop or track victims’ locations.
- Google says it has “worked with these researchers to fix these vulnerabilities.”
- Updates from audio device manufacturers are required to patch the vulnerability. It’s recommended users update their devices ASAP.
- The researchers say “many manufacturers have released patches for their impacted devices,” but to check with your device’s manufacturer to be sure.
There’s a significant security vulnerability in many manufacturers’ implementation of Google’s Fast Pair protocol that could affect a wide variety of popular audio accessories. Security researchers at Belgian university KU Leuven have made public information about what they’ve dubbed WhisperPair, a set of cyber attacks that, leveraging a flaw in Fast Pair implementation, can be used to hijack audio devices, letting bad actors potentially track user location or eavesdrop on private conversations.
As reported by Wired, researchers with KU Leuven’s Computer Security and Industrial Cryptography group (COSIC) managed to exploit Google Fast Pair to connect to target devices like earbuds and headphones, with no physical access required. Once connected, the researchers were able to play audio on or listen to audio recorded by target devices, and even track the devices using Google’s Find Hub network. This is a serious issue affecting devices from the likes of Sony, JBL, Soundcore, and Google — but a firmware update can patch the vulnerability.
Don’t want to miss the best from Android Authority?
- Set us as a favorite source in Google Discover to never miss our latest exclusive reports, expert analysis, and much more.
- You can also set us as a preferred source in Google Search by clicking the button below.
WhisperPair attacks can be initiated from normal Bluetooth range within seconds, the researchers say. Per COSIC’s report, Fast Pair works by allowing a “seeker” device like a phone or laptop to send a message to “provider” devices like Bluetooth headphones, earbuds, or speakers to initiate pairing. The Fast Pair spec says that provider devices should only accept pairing requests from seeker devices while in pairing mode — but many Fast Pair-enabled audio devices incorrectly accept requests from seeker devices whenever they’re powered on, allowing WhisperPair a way in.
Once connected to an audio device, an attacker can control audio output or listen in on audio input. Compromised devices can also be added to Google Find Hub, allowing attackers to track the movement of victims.
The upside for Android users is that WhisperPair only seems to work on audio accessories that have not already been paired with a source device using Fast Pair — meaning the earbuds you’re already using with your Android phone may be safe. But because iOS doesn’t use Fast Pair, Fast Pair-enabled headphones and earbuds that have only ever been paired with Apple devices will still be vulnerable.
The COSIC report says that users who have been victims of WhisperPair attacks may see a warning on their phone that an unknown device is tracking their location. But because that device will be identified as one owned by the user, these warnings may end up being ignored.
WhisperPair vulnerability is widespread: COSIC has confirmed that popular devices like the Sony WH-1000XM6, Pixel Buds Pro 2, Jabra Elite 8 Active, Soundcore Liberty 4 NC, and more are all susceptible to WhisperPair attacks. You can see a list of devices that have been tested here, but there’s reason to believe many more models may be vulnerable, as well.
COSIC first notified Google of its findings in August. According to Wired‘s write-up, Google has worked in coordination with the researchers to address WhisperPair. COSIC’s report says that “many manufacturers have released patches for their impacted devices,” but also that users should check with their audio accessory manufacturer for questions about WhipserPair patches.
There aren’t any confirmed cases of WhisperPair attacks taking place in the wild, and Google tells Wired that it hasn’t “seen evidence of any exploitation outside of this report’s lab setting.” Still, if you haven’t updated your headphones or earbuds lately, today seems like a great time to do it.
Thank you for being part of our community. Read our Comment Policy before posting.