Google designed the Fast Pair wireless protocol to enable extremely convenient connections. Essentially, it lets users connect their Bluetooth devices on both Android and Chrome OS devices with a single tap. However, one group of researchers has discovered that the protocol can allow hackers to connect to hundreds of millions of earbuds, headphones, and speakers, allowing malicious individuals to use Fast Pair to control speakers, microphones, or even track someone’s location (depending on the device), even if they aren’t an Android user.
What is the Compromise?
The compromise was discovered by security researchers at Belgium’s KU Leuven University Computer Security and Industrial Cryptography. The researchers’ hacking technique, dubbed WhisperPair, would allow anyone within Bluetooth range (about 50 feet in their testing) to silently pair with audio accessories and hijack them.
According to Wired, the group revealed that they found a collection of vulnerabilities in 17 audio accessories that use Google’s Fast Pair technology. The devices are sold by Sony, Jabra, JBL, Marshall, Xiaomi, Nothing, OnePlus, Soundcore, Logitech, and even Google.
Some accessories could allow hackers to “take over” or disrupt whatever is being played through the headphones and play their own audio at any volume they choose. Devices sold by both Google and Sony have access to Google’s Find Hub, which could be exploited.
The good news, however, is that most companies with exploited products are actively working on fixes. A Google spokesperson confirmed the Whisperpair findings to Wired and reportedly has not seen any evidence of exploitation outsidethe lab setting. The tech giant noted that it also pushed out fixes for both its vulnerable products and Find Hub, but that it discovered a bypass for the patch and was still able to track a device using Find Hub.
Xiaomi and JBL have also issued similar statements, both saying that they are working with Google to address the exploitation and issue over-the-air updates. Jabra and Logitech said they have issued or are in the process of issuing patches for the vulnerability, and OnePlus noted they are looking into the issue. Marshall, Nothing, and Sony have not spoken out about the vulnerability yet.
The best course of action is to check for updates for any of your devices that use Fast Pair.
