Google has acknowledged a Fast Pair flaw that theoretically enabled hackers to hijack the Bluetooth connection between mobile devices and headphones to track and eavesdrop on unsuspecting victims.
Security researchers in Belgium discovered a security vulnerability that allowed them to access the microphones on, for instance, a pair of wireless headphones and access the location of the users. This worked even if the audio device was already paired to the user’s phone running on Android.
A Wired report reveals the vulnerability was found with 17 models from 10 companies – Sony, Jabra, JBL, Marshall, Xiaomi, Nothing, OnePlus, Soundcore, Logitech, and even Google.
The researchers from KU Leuven University Computer Security and Industrial Cryptography group told Wired all that was required was to be in Bluetooth of the victim with access to the model number. Not the unique serial number, just the commonly accessible model number. Google says there’s no evidence the exploit had been used in the wild, but that doesn’t make the vulnerability – Christened WhisperPair by the researchers – any less alarming.
According to the search and mobile giant, it’s all down to an error in how some of Google’s hardware partners are implementing the Fast Pair technology, which is supposed to provide ease of uniting mobile devices with their accessories, as the name would suggest.
“You’re walking down the street with your headphones on, you’re listening to some music. In less than 15 seconds, we can hijack your device,” KU Leuven researcher Sayon Duttagupta told Wired. “Which means that I can turn on the microphone and listen to your ambient sound. I can inject audio. I can track your location.”
Google said it partnered with the researchers to fix the vulnerabilities, which have been addressed through firmware updates for the headphones themselves.
In a statement to Engadget, Google said: “We appreciate collaborating with security researchers through our Vulnerability Rewards Program, which helps keep our users safe.”
“We worked with these researchers to fix these vulnerabilities, and we have not seen evidence of any exploitation outside of this report’s lab setting. As a best security practice, we recommend users check their headphones for the latest firmware updates. We are constantly evaluating and enhancing Fast Pair and Find Hub security.”
So, if you haven’t checked your headphones for an update lately, and you’re operating on an Android phone, now might be a good opportunity.
