A flaw in Google Fast Pair 17 audio devices could allow hackers to eavesdrop
Now would be a good time to update all your Bluetooth audio devices. on Thursday, It has strings A security flaw has been reported in 17 headphone and speaker models that could allow hackers to access your devices, including their microphones. The vulnerability stems from the incorrect use of Google’s one-tap protocol (Instant Pairing).
Security researchers from the Belgian KU Leuven University Computer Security and Industrial Cryptography group, who discovered the security hole, named the flaw WhisperPair. They claim that a hacker at a Bluetooth range would only need the device’s model number (which is readily available) and a few seconds.
“You walk down the street with your headphones on, listening to music. In less than 15 seconds, we can hijack your device,” says KU Leuven researcher Sayon Duttagupta. It has strings. “Which means I can turn on the microphone and listen to your ambient sound. I can inject sound. I can track your location.” The researchers notified Google about WhisperPair in August, and the company has been working with them ever since.
Fast Pair should only allow new connections while the audio device is in pairing mode. (Proper implementation of this would have prevented this error.) But a Google spokesperson told Engadget that the vulnerability is caused by improper implementation of Fast Pair by some of its hardware partners. This may allow a hacker’s device to pair with your headphones or speaker after it’s already paired with your device.
“We appreciate working with security researchers through our Risk Rewards program, which helps keep our users safe,” a Google spokesperson wrote in a statement posted to Engadget. “We worked with these researchers to address this vulnerability, and we saw no evidence of any exploits outside of the lab setting of this report. As a best security measure, we recommend that users check their headphones for the latest firmware updates. We are constantly testing and improving the security of Fast Pair and Find Hub.”
The researchers created the video below to show how the bug works
In an email to Engadget, Google said the steps needed to access the device’s microphone or audio are complex and involve multiple stages. Attackers will also need to stay within Bluetooth range. The company added that it provided its OEM partners with the recommended fixes in September. Google has also updated its Validation certificate tool and its certificate requirements.
The researchers say that, in some cases, the vulnerability also applies to those who do not use Android phones. For example, if an audio device has never been paired with a Google account, a hacker can use WhisperPair to not only pair the audio device but also link it to their Google account. They may use Google’s Find Hub tool to track the device’s (and therefore your) location.
Google said it has made adjustments to its Find Hub network to address the issue. Nokho, abacwaningi batshela It has strings that, within hours of the patch being released, they found a solution.
The 17 affected devices are made by 10 different companies, all of which have received Google Fast Pair certification. They include Sony, Jabra, JBL, Marshall, Xiaomi, Nothing, OnePlus, Soundcore, Logitech and Google. (Google says its affected Pixel Buds have already been removed and secured.) Researchers have posted a search tool that lets you see if your audio accessories are at risk.
In a statement sent to Engadget, OnePlus said it is investigating the matter and will “take appropriate measures to protect the security and privacy of our users.” We have also contacted other service providers and will update this story when asked.
Researchers recommend that you update your audio devices regularly. However, one of their concerns is that many people will never install a third-party manufacturer’s app (required for updates), leaving their devices vulnerable.
Full report from It has strings very detailed and well worth reading.
