- Attackers can hack your speaker’s microphones and track your location
- The vulnerability is found in Google’s Fast Pair feature
- Researchers say the flaw could affect millions of devices
Google’s Fast Pair feature allows users to connect headphones and speakers to their Android or ChromeOS devices with a single tap. However, this convenience comes with a significant security risk, as a vulnerability could expose millions of devices to hackers and eavesdroppers.
This alarming finding was reported by security researchers from KU Leuven University in Belgium, who have identified a series of vulnerabilities collectively named WhisperPair.
The investigation revealed that 17 major models of headphones and speakers could be easily accessed by hackers, including products from Google, Jabra, JBL, Logitech, Marshall, Nothing, OnePlus, Sony, Soundcore, and Xiaomi.
In practice, an intruder could gain control over the device’s microphone and speakers, potentially tracking your location or even eavesdropping on conversations by activating the microphone without your knowledge.
If the device is compatible with Google’s Find Hub location tracking system, hackers could follow users in real-time. This is not the first instance of Find Hub being compromised by malicious actors.
Worse still, this vulnerability can be exploited even if the victim’s device runs iOS and has never been linked to a Google account. A hacker could not only monitor the device but also pair it with their own Google account.
This occurs because Google’s system identifies the first Android device that connects to the target headphones or speakers as the owner, allowing hackers to track the victim’s location using their own Find Hub app.
How does it work?
To exploit this vulnerability, an attacker only needs to be within Bluetooth range and have the target device’s model ID. This ID can be obtained if the hacker owns the same device model or by querying a publicly available Google API.
One method by which WhisperPair operates is through a flaw in Fast Pair’s multi-device setup. Google states that a paired device should not connect to a second phone or computer, yet researchers easily bypassed this restriction.
Since there is no option to disable Fast Pair on Android devices, users cannot simply turn it off to avoid the vulnerability. Many affected companies have released patches, but obtaining these fixes often requires downloading a manufacturer’s app, which many users may not realize they need to do.
If you own a speaker or headphones from one of the affected brands, it is crucial to download their app and install the necessary updates as soon as possible. A WhisperPair website has been set up to help users check if their devices are vulnerable.
Researchers recommend that Fast Pair should implement cryptographic enforcement for device pairing and require authentication for secondary users. Until such measures are in place, updating your devices remains the best course of action.