Google designed the wireless protocol known as Fast Pair to optimize for ultra-convenient connections: It lets users connect their Bluetooth gadgets with Android and ChromeOS devices in a single tap. Now one group of researchers has discovered that the same protocol can also enable hackers to connect with that same seamless convenience to hundreds of millions of earbuds, headphones, and speakers. The result is an enormous collection of Fast Pair-compatible audio devices that allow any spy or stalker to take control of speakers and microphones, or in some cases track an unwitting target’s location—even if the victim is an iPhone user who has never owned a Google product.
Today, security researchers at Belgium’s KU Leuven University Computer Security and Industrial Cryptography group are revealing a collection of vulnerabilities they found in 17 audio accessories that use Google’s Fast Pair protocol and are sold by 10 different companies: Sony, Jabra, JBL, Marshall, Xiaomi, Nothing, OnePlus, Soundcore, Logitech, and Google itself. The hacking techniques the researchers demonstrated, which they’re collectively calling WhisperPair, would allow anyone within Bluetooth range of those devices—close to 50 feet in their testing—to silently pair with audio peripherals and hijack them.
Depending on the accessory, a hacker could take over or disrupt audio streams or phone conversations, play their own audio through the victim’s ear buds or speakers at whatever volume they chose, or undetectably take over microphones to listen to the victim’s surroundings. Worse yet, certain devices sold by Google and Sony that are compatible with Google’s device geolocation tracking feature, Find Hub, could also be exploited to allow stealthy, high-resolution stalking.
“You’re walking down the street with your headphones on, you're listening to some music. In less than 15 seconds, we can hijack your device,” says KU Leuven researcher Sayon Duttagupta. “Which means that I can turn on the microphone and listen to your ambient sound. I can inject audio. I can track your location.”
“The attacker now owns this device,” adds researcher Nikola Antonijević, “and can basically do whatever he wants with it.”
The researchers demonstrate their hacking and tracking techniques in the video below:
Google today published a security advisory in coordination with the researchers, acknowledging their findings and describing its efforts to fix the problem. Since the researchers first disclosed their work to the company in August, they say, Google appears to have alerted at least some of the vendors of vulnerable devices, many of whom have made security updates available. However, given that very few consumers ever think about updating the software of internet-of-things devices like headphones, earbuds, or speakers, the KU Leuven researchers warn that the WhisperPair vulnerabilities may still persist in vulnerable accessories for months or years to come.