Now would be a good time to update all your Bluetooth audio devices. On Thursday, Wired reported on a security flaw in 17 headphone and speaker models that could allow hackers to access your devices, including their microphones. The vulnerability stems from a faulty implementation of Google's one-tap (Fast Pair) protocol.
Security researchers at Belgium's KU Leuven University Computer Security and Industrial Cryptography group, who discovered the security hole, named the flaw WhisperPair. They say a hacker within Bluetooth range would only require the accessory's (easily attainable) device model number and a few seconds.
"You're walking down the street with your headphones on, you're listening to some music. In less than 15 seconds, we can hijack your device," KU Leuven researcher Sayon Duttagupta told Wired. "Which means that I can turn on the microphone and listen to your ambient sound. I can inject audio. I can track your location." The researchers notified Google about WhisperPair in August, and the company has been working with them since then.
Advertisement Advertisement
Fast Pair is supposed to only allow new connections while the audio device is in pairing mode. (A proper implementation of this would have prevented this flaw.) But a Google spokesperson told Engadget that the vulnerability stemmed from an improper implementation of Fast Pair by some of its hardware partners. This could then allow a hacker's device to pair with your headphones or speaker after it's already paired with your device.
"We appreciate collaborating with security researchers through our Vulnerability Rewards Program, which helps keep our users safe," a Google spokesperson wrote in a statement sent to Engadget. "We worked with these researchers to fix these vulnerabilities, and we have not seen evidence of any exploitation outside of this report's lab setting. As a best security practice, we recommend users check their headphones for the latest firmware updates. We are constantly evaluating and enhancing Fast Pair and Find Hub security."
The researchers created the video below to demonstrate how the flaw works
In an email to Engadget, Google said the steps required to access the device’s microphone or audio are complex and involve multiple stages. The attackers would also need to remain within Bluetooth range. The company added that it provided its OEM partners with recommended fixes in September. Google also updated its Validator certification tool and its certification requirements.
Advertisement Advertisement
The researchers say that, in some cases, the risk applies even to those who don't use Android phones. For example, if the audio accessory has never been paired with a Google account, a hacker could use WhisperPair to not only pair with the audio device but also link it to their own Google account. They could then use Google's Find Hub tool to track the device's (and therefore your) location.
... continue reading