- Attackers can hack your speaker’s microphones and track your location
- The vulnerability exists in Google’s Fast Pair feature
- Researchers say the flaw could affect millions of devices
Google’s Fast Pair feature is meant to let you connect your headphones and speakers to your Android or ChromeOS device with just one tap. But now it appears that the price of this convenience is a security vulnerability that could leave millions of devices open to hackers and eavesdroppers.
The startling discovery was made by security researchers at Belgium’s KU Leuven University Computer Security and Industrial Cryptography group (via Wired), who call the collection of vulnerabilities WhisperPair.
A study found that 17 major headphone and speaker models could be accessed by hackers as easily as regular users. The devices are made by companies across the industry, including Google, Jabra, JBL, Logitech, Marshall, Nothing, OnePlus, Sony, Soundcore and Xiaomi.
In practice, an intruder could potentially gain power over your device’s microphone and speakers, or even track your location. That would allow them to play their own audio into your headphones or quietly turn on your microphones and eavesdrop on your conversations.
If the target device is compatible with Google’s Find Hub location tracking system, they can follow you in the real world. And as scary as it sounds, it’s not even the first time Find Hub has been hacked by dangerous hackers.
Worse, this can even be done if the victim’s device is running iOS and the target has never used a Google product before. If your device has never been connected to a Google account – which might be the case if you’re an iPhone user – a hacker could not only sniff it, but also pair it with their own Google account.
That’s because Google’s system identifies the first Android device that connects to target speakers or headphones as the owner, a weakness that would let a hacker track your location in their own Find Hub app.
How does it work?
To do this, an attacker only needs to be within Bluetooth range and have the target device’s model ID handy. An attacker can obtain this model ID if they own the same device model as the target or by querying a publicly available Google API.
One way WhisperPair works is through a flaw in Fast Pair’s multi-device setup. Google says that a paired device should not be able to be paired with another phone or computer. However, the researchers were able to circumvent this limitation very easily.
Because there is no way to disable Fast Pair on an Android device, you cannot simply turn it off to avoid the vulnerability. Many of the affected companies have rolled out patches in an attempt to fix the problem, but the security researchers point out that getting these fixes requires downloading a manufacturer’s app and getting a patch from there – something many speaker and headphone users don’t realize they need to do.
If you own a speaker or pair of headphones from one of the affected companies, it’s important to download their app and install the fix as soon as possible. A WhisperPair website has been created that lets you search through a list of vulnerable devices to see if you’re likely to be affected, so be sure to check it out.
The researchers have proposed that Fast Pair should cryptographically enforce your desired device pairing and should not allow another user to pair without authorization. But until that happens, updating your devices is about all you can do.
Follow TechRadar on Google News and add us as a preferred source to get our expert news, reviews and opinions in your feeds. Be sure to click the Follow button!
And of course you can too follow TechRadar on TikTok for news, reviews, video unboxings, and get regular updates from us on WhatsApp also.
