Researchers working at KU Leuven University in Belgium are warning people who use Bluetooth audio products that their devices may be at risk due to vulnerabilities in Google's Fast Pair technology, a feature that makes it quicker and easier to connect Bluetooth devices.
Google says it has addressed issues that could allow hackers to hijack audio devices and track their location. But the researchers say the vulnerabilities, which it collectively refers to as WhisperPair, still affect products from device makers including Sony, Harman and Google itself. In their tests, the researchers found these products could be hacked from as far as about 46 feet away.
A Google representative told CNET that it has updated the software for some of its own audio products, including its Pixel Buds Pro, and that some of the vulnerabilities stemmed from other companies not properly following Fast Pair specifications. Google said it had informed companies about this in September.
Don't miss any of our unbiased tech content and lab-based reviews. Add CNET as a preferred Google source.
"We appreciate collaborating with security researchers through our Vulnerability Rewards Program, which helps keep our users safe. We worked with these researchers to fix these vulnerabilities, and we have not seen evidence of any exploitation outside of this report's lab setting," Google said in a statement provided to CNET. "As a best security practice, we recommend users check their headphones for the latest firmware updates. We are constantly evaluating and enhancing Fast Pair and Find Hub security."
In response to specific concerns about device tracking, Google added, "We rolled out a fix on our end to prevent Find Hub network provisioning in this scenario, which completely addresses the potential location tracking issue across all devices."
Google has issued two security updates this month, one for Wear OS and one for Google Pixel devices. Each contains information about the company's security patches.
The WhisperPair research group said it's working on an academic paper detailing its findings. On its website, the researcher group said, "Our findings show how a small usability 'add-on' can introduce large-scale security and privacy risks for hundreds of millions of users."
The research group released a YouTube video discussing problems with Fast Pair, a Google technology introduced in 2017 that connects Bluetooth devices with one tap across Android and Chrome OS.
The group said that it worked with Google after reporting its findings and was awarded a $15,000 bounty. The researchers said they agreed to a 150-day disclosure window in which Google would release security patches. However, the website points out that users of Bluetooth devices like earbuds may not be aware of security updates that could protect them.
... continue reading