A security vulnerability discovered in numerous popular Bluetooth audio devices could allow attackers to eavesdrop through microphones, inject audio, and track a user’s location. Researchers have named the flaw WhisperPair. The issue stems from an improper implementation of Google’s Fast Pair protocol by several hardware manufacturers. This one-tap pairing feature is designed to simplify connecting Bluetooth accessories to Android devices. However, in certain devices from ten major companies, the security researchers found the protocol was incorrectly applied, leaving a critical opening. Security experts from the KU Leuven University in Belgium discovered the vulnerability. They explain that an attacker within Bluetooth range, needing only the easily obtainable device model number, could hijack a paired headphone or speaker in under 15 seconds. This would grant them access to the microphone to listen to ambient sounds or to inject audio into the user’s ears. In some scenarios, they could also use Google’s Find My Device network to track the location of the accessory and, by extension, its owner. A key failure is that the affected devices did not properly restrict new connections solely to when the accessory was in active pairing mode. This allowed a malicious device to connect even after the headphones were already paired with the user’s phone. Google was notified of the WhisperPair flaw in August. The company stated it has been collaborating with the researchers and provided recommended fixes to its hardware partners in September. Google also updated its certification tools and requirements. The company emphasized that the steps for exploitation are complex, require the attacker to remain in close proximity, and that it has seen no evidence of real-world exploitation outside of a lab setting. Seventeen specific headphone and speaker models from Sony, Jabra, JBL, Marshall, Xiaomi, Nothing, OnePlus, Soundcore, Logitech, and Google itself were identified as vulnerable. Google notes its affected Pixel Buds have already been patched. The researchers have created an online search tool where users can check if their specific model is at risk. The recommended action for all users is to check for and install the latest firmware updates for their Bluetooth audio devices through the manufacturer’s companion app. This is the primary defense. However, the researchers note a persistent problem is that many users never install these apps, leaving their devices permanently exposed. OnePlus stated it is investigating the issue and will take appropriate action. Marshall confirmed it issued the necessary firmware updates and security patches in November and is working with Google to prevent similar future vulnerabilities. Google also implemented a fix for its Find Hub network to prevent location tracking via a hijacked device, though researchers reportedly found a workaround shortly after its release. The company encourages users to update their devices and stated it is constantly evaluating and enhancing the security of its Fast Pair and Find Hub systems.
