2 hours ago
2
ARTICLE AD BOX
Google designed the wireless protocol known as Fast Pair to optimize for ultra-convenient connections: It lets users connect their Bluetooth gadgets with Android and ChromeOS devices in a single tap. Now one group of researchers has discovered that the same protocol can also enable hackers to connect with that same seamless convenience to hundreds of millions of earbuds, headphones, and speakers. The result is an enormous collection of Fast Pair-compatible audio devices that allow any spy or stalker to take control of speakers and microphones, or in some cases track an unwitting target’s location—even if the victim is an iPhone user who has never owned a Google product.
Today, security researchers at Belgium’s KU Leuven University Computer Security and Industrial Cryptography group are revealing a collection of vulnerabilities they found in 17 audio accessories that use Google’s Fast Pair protocol and are sold by 10 different companies: Sony, Jabra, JBL, Marshall, Xiaomi, Nothing, OnePlus, Soundcore, Logitech, and Google itself. The hacking techniques the researchers demonstrated, which they’re collectively calling WhisperPair, would allow anyone within Bluetooth range of those devices—close to 50 feet in their testing—to silently pair with audio peripherals and hijack them.
Depending on the accessory, a hacker could take over or disrupt audio streams or phone conversations, play their own audio through the victim’s ear buds or speakers at whatever volume they chose, or undetectably take over microphones to listen to the victim’s surroundings. Worse yet, certain devices sold by Google and Sony that are compatible with Google’s device geolocation tracking feature, Find Hub, could also be exploited to allow stealthy, high-resolution stalking.
“You’re walking down the street with your headphones on, you're listening to some music. In less than 15 seconds, we can hijack your device,” says KU Leuven researcher Sayon Duttagupta. “Which means that I can turn on the microphone and listen to your ambient sound. I can inject audio. I can track your location.”
“The attacker now owns this device,” adds researcher Nikola Antonijević, “and can basically do whatever he wants with it.”
The researchers demonstrate their hacking and tracking techniques in the video below:
Google today published a security advisory in coordination with the researchers, acknowledging their findings and describing its efforts to fix the problem. Since the researchers first disclosed their work to the company in August, they say, Google appears to have alerted at least some of the vendors of vulnerable devices, many of whom have made security updates available. However, given that very few consumers ever think about updating the software of internet-of-things devices like headphones, earbuds, or speakers, the KU Leuven researchers warn that the WhisperPair vulnerabilities may still persist in vulnerable accessories for months or years to come.
In most cases, applying those updates requires installing a manufacturer app on a phone or computer—a step most users never take and often aren’t even aware is necessary. “If you don't have the app of Sony, then you'll never know that there's a software update for your Sony headphones,” says KU Leuven researcher Seppe Wyns. “And then you’ll still be vulnerable.”
When WIRED reached out to Google, a spokesperson responded in a statement thanking the researchers and confirming their WhisperPair findings. “We worked with these researchers to fix these vulnerabilities, and we have not seen evidence of any exploitation outside of this report’s lab setting,” the spokesperson writes. “We are constantly evaluating and enhancing Fast Pair and Find Hub security.”
Google also noted that it’s pushed out fixes for its own vulnerable audio accessories and an update to Find Hub in Android that the company says prevents rogue actors from using WhisperPair to track victims. Within hours of Google informing the researchers about that fix, however, they told WIRED that they had found a bypass for the patch and were still able to carry out their Find Hub tracking technique. Google didn't immediately respond to WIRED's request for comment on the researchers' bypass of its patch.
As for Google’s statement that it hadn’t seen exploitation of the WhisperPair vulnerability in the wild, the researchers note that Google would have no way to observe audio accessory hijacking that didn’t involve Google devices.
WIRED also reached out to all nine other companies whose accessories the KU Leuven researchers determined to be vulnerable. Xiaomi responded in a statement that it “has been in communication with Google and other relevant parties and is working with suppliers to roll out [over-the-air] updates” to its Redmi brand of earbuds. JBL, which is owned by Harman Audio, said in a statement that “Google has advised JBL about potential security vulnerabilities that could impact devices including headphones and speakers. We have received the security patches from Google and the software will be updated via JBL apps over the next few weeks.”
Jabra responded in a statement that it had pushed out patches for Bluetooth vulnerabilities in the Airoha chipset it uses in its accessories in June and July. Given that the researchers didn’t tell anyone about their findings until August, however, they suggest that Jabra may be confusing their work with unrelated findings from June.
Logitech said it has “integrated a firmware patch for upcoming production units,” and points out that its affected device, the Wonderboom 4 speaker, doesn’t have a microphone that could be used for eavesdropping. OnePlus told WIRED that the company is looking into the issue. Marshall, Nothing, and Sony didn’t respond to WIRED’s request for comment.
The researchers’ WhisperPair attack takes advantage of a collection of flaws in the implementation of Fast Pair in the devices the team checked. Most fundamentally, Google’s specification for Fast Pair devices states that they shouldn’t be able to pair with a new computer or phone while already paired. But for the 17 vulnerable devices, anyone can silently pair with the target device, even if it’s already paired.
Using the Fast Pair vulnerabilities the researchers discovered, an attacker would only need to be in Bluetooth range and obtain a so-called Model ID value that’s specific to the target device model. The researchers note that these Model IDs can be obtained if an attacker owns or purchases a device of the same model as the target’s. They note, too, that in some cases, this ID is shared by the device when a computer or phone attempts to pair with it. And in addition to both of these methods of obtaining the right Model ID for a target device, the researchers also found that they could query a publicly available Google API for every possible Model ID and determine them for all devices.
In their experiments, the KU Leuven team used a low-cost Raspberry Pi 4 minicomputer to test their technique, attempting to pair with 25 different already-paired Fast Pair devices from 16 different vendors, and found that the majority of the devices and vendors they tested were vulnerable. They carried out their pairing techniques from about 14 meters (about 46 feet) from the target—though they think that greater distances would likely be possible—and the takeovers took between 10 and 15 seconds, they say.
The Google Pixel Buds Pro 2 earbuds and five models of Sony earbuds and headphones they tested also suffered from a distinct, disturbing security issue. If the devices weren’t previously linked to a Google account—say, because they were used only with an iPhone—then a hacker could use WhisperPair to not only pair with the target accessory, but also link it to their Google account. Google’s system is designed to identify the first Android device that pairs with the headphones, or other peripherals, as their owner. That trick would allow the hacker to use Google’s Find Hub feature, which tracks the device’s geolocation based on its connections to surrounding devices, and follow the target user’s movements. “That means that I can now see your device in my Find Hub network wherever you go, at all times,” says Duttagupta.
With that tracking technique, the victim might at some point get a smartphone notification that a Find Hub device was tracking them, thanks to safety features designed by Google and Apple to prevent Find Hub devices from being used to follow an unwitting victim. But any victim who followed up on the alert would see that Google or Apple was warning them that it was their own device tracking them and likely assume the alert was just a glitch, the researchers argue.
For all of these issues, there’s no easy change in the settings of accessories that users can make to protect themselves. “There's no way to turn Fast Pair off, even if you'll never use it,” says Wyns. “You can factory-reset your device, and that will clear the attacker’s access, so they will have to do the attack again, but it’s enabled by default on all of the supported devices.”
The WhisperPair vulnerabilities seem to have emerged from a complex and interrelated set of problems. The researchers point out that it is common for both peripherals manufacturers and chipmakers to make mistakes in implementing the Fast Pair technical standard. Not all of these flaws result in security vulnerabilities, but the extent of the confusion raises questions about the strength of the standard, the researchers say.
Google offers a Validator App through the Play Store that vendors have to run as part of getting their products certified to use Fast Pair. According to its description, the app “validates that Fast Pair has been properly implemented on a Bluetooth device,” producing reports on whether a product has passed or failed an evaluation of its Fast Pair implementation. The researchers point out that all of the devices they tested in their work had their Fast Pair implementation certified by Google. That means, presumably, that Google’s app categorized them as passing its requirements, even though their implementations had dangerous flaws. On top of this, certified Fast Pass devices then go through testing in labs Google selects that review pass reports and then directly evaluate physical device samples before large-scale manufacturing to confirm that they align with the Fast Pair standard.
Google says that the Fast Pair specification provided clear requirements and that the Validator App was designed mainly as a supportive tool for manufacturers to test core functionality. Following the KU Leuven researchers’ disclosure, the company says it added new implementation tests specifically geared toward Fast Pair requirements.
Ultimately, the researchers say, it is difficult to determine whether the implementation issues that led to the WhisperPair vulnerabilities came from mistakes on the part of device manufacturers or chipmakers.
WIRED reached out to all the chipmakers who manufacture the chipsets used by the vulnerable audio accessories—Actions, Airoha, Bestechnic, MediaTek, Qualcomm, and Realtek—but none responded. In its comments to WIRED, Xiaomi noted, “We have confirmed internally that the issue you referenced was caused by a non-standard configuration by chip suppliers in relation to the Google Fast Pair protocol.” Airoha is the maker of the chip used in the Redmi Buds 5 Pro that the researchers identified as vulnerable.
Regardless of who is at fault for the WhisperPair vulnerabilities, the researchers emphasize that one conceptually simple change to the Fast Pair specification would address the more fundamental issue behind WhisperPair: Fast Pair should cryptographically enforce the accessory owner’s intended pairings and not allow a secondary, rogue “owner” to pair without authentication.
For now, Google and many device manufacturers have software updates ready to fix the specific vulnerabilities. But installations of those patches are likely to be inconsistent, as it almost always is in internet-of-things security. The researchers urge all users to update their vulnerable accessories, and they point users to a website they created that provides a searchable list of devices affected by WhisperPair. For that matter, they say that everyone should use WhisperPair as a more general reminder to update all of their internet-of-things devices.
The broader message of their research, they say, is that device manufacturers need to prioritize security when adding ease-of-use features. After all, the Bluetooth protocol itself contained none of the vulnerabilities they’ve discovered—only the one-tap protocol Google built on top of it to make pairing more convenient.
“Yes, we want to make our life easier and make our devices function more seamlessly,” says Antonijević. “Convenience doesn’t immediately mean less secure. But in pursuit of convenience, we should not neglect security.”
English (US) ·