- Attackers can hack your speaker microphones and track your location
- The vulnerability is found in Google’s Fast Pair feature
- Researchers say flaw could affect millions of devices
Google’s Fast Pair feature is intended to allow you to connect your headphones and speakers to your Android or ChromeOS device with just one click. Yet it now appears that the price of this convenience is a security hole that could leave millions of devices open to hackers and eavesdroppers.
This surprising discovery was made by security researchers at the Computer Security and Industrial Cryptography group at KU Leuven University in Belgium (via Wired), who dub the vulnerability collection WhisperPair.
An investigation found that 17 major models of headphones and speakers were accessible to hackers as easily as regular users. The devices are manufactured by companies in the industry, including Google, Jabra, JBL, Logitech, Marshall, Nothing, OnePlus, Sony, Soundcore and Xiaomi.
In practice, an intruder could potentially take control of your device’s microphone and speakers or even track your location. This would allow them to stream their own audio into your headphones or silently turn on your microphones and listen in on your conversations.
If the target device is compatible with Google’s Find Hub location tracking system, it could track you in the real world. And as scary as it may sound, this isn’t even the first time Find Hub has been hacked by dangerous hackers.
Worse yet, this can even be done if the victim’s device is running iOS and the target has never used a Google product before. If your device has never been connected to a Google account – which may be the case if you’re an iPhone user – a hacker could not only spy on it, but also pair it with their own Google account.
This is because Google’s system identifies the first Android device that connects to the target speakers or headphones as the owner, a weakness that would allow a hacker to track your location in their own Find Hub app.
How does it work?
To do this, an attacker only needs to be within Bluetooth range and have the model ID of the target device handy. A hacker could obtain this model ID if they have the same device model as the target or by querying a publicly available Google API.
WhisperPair works in particular thanks to a flaw in Fast Pair’s multi-device configuration. Google says a paired device should not be able to pair with a second phone or computer. However, the researchers were able to get around this limitation very easily.
Since there is no way to disable Fast Pair on an Android device, you cannot simply disable it in order to avoid the vulnerability. Many affected companies have rolled out patches to try to remedy the problem, but security researchers point out that getting these fixes requires downloading the manufacturer’s app and getting a fix from there – something many speaker and headphone users don’t know they need to do.
If you own a speaker or pair of headphones from one of the affected companies, it’s important to download their app and install the patch as soon as possible. A WhisperPair website has been created which allows you to search through a list of vulnerable devices to see if you are likely to be affected, so be sure to check it out.
Researchers suggested that Fast Pair should cryptographically enforce your desired device pairing and should not allow a second user to pair without authentication. But in the meantime, the only thing you can do is update your devices.
Follow TechRadar on Google News And add us as your favorite source to get our news, reviews and expert opinions in your feeds. Make sure to click the Follow button!
And of course you can too follow TechRadar on TikTok for news, reviews, unboxings in video form and receive regular updates from us on WhatsApp Also.
