Discover ANY AI to make more online for less.

Flaw in 17 Google Fast Pair audio devices could let hackers eavesdrop

Now would be a good time to update all your Bluetooth audio devices. On Thursday, Wired reported on a security flaw in 17 headphone and speaker models that could allow hackers to access your devices, including their microphones. The vulnerability stems from a faulty implementation of Google's one-tap (Fast Pair) protocol.Security researchers at Belgium's KU Leuven University Computer Security and Industrial Cryptography group, who discovered the security hole, named the flaw WhisperPair. They say a hacker within Bluetooth range would only require the accessory's (easily attainable) device model number and a few seconds."You're walking down the street with your headphones on, you're listening to some music. In less than 15 seconds, we can hijack your device," KU Leuven researcher Sayon Duttagupta told Wired. "Which means that I can turn on the microphone and listen to your ambient sound. I can inject audio. I can track your location." The researchers notified Google about WhisperPair in August, and the company has been working with them since then.Fast Pair is supposed to only allow new connections while the audio device is in pairing mode. (A proper implementation of this would have prevented this flaw.) But a Google spokesperson told Engadget that the vulnerability stemmed from an improper implementation of Fast Pair by some of its hardware partners. This could then allow a hacker's device to pair with your headphones or speaker after it's already paired with your device."We appreciate collaborating with security researchers through our Vulnerability Rewards Program, which helps keep our users safe," a Google spokesperson wrote in a statement sent to Engadget. "We worked with these researchers to fix these vulnerabilities, and we have not seen evidence of any exploitation outside of this report's lab setting. As a best security practice, we recommend users check their headphones for the latest firmware updates. We are constantly evaluating and enhancing Fast Pair and Find Hub security."The researchers created the video below to demonstrate how the flaw worksIn an email to Engadget, Google said the steps required to access the device’s microphone or audio are complex and involve multiple stages. The attackers would also need to remain within Bluetooth range. The company added that it provided its OEM partners with recommended fixes in September. Google also updated its Validator certification tool and its certification requirements.The researchers say that, in some cases, the risk applies even to those who don't use Android phones. For example, if the audio accessory has never been paired with a Google account, a hacker could use WhisperPair to not only pair with the audio device but also link it to their own Google account. They could then use Google's Find Hub tool to track the device's (and therefore your) location.Google said it rolled out a fix to its Find Hub network to address that particular scenario. However, the researchers told Wired that, within hours of the patch’s rollout, they found a workaround.The 17 affected devices are made by 10 different companies, all of which received Google Fast Pair certification. They include Sony, Jabra, JBL, Marshall, Xiaomi, Nothing, OnePlus, Soundcore, Logitech and Google. (Google says its affected Pixel Buds are already patched and protected.) The researchers posted a search tool that lets you see if your audio accessories are vulnerable.In a statement sent to Engadget, OnePlus said it's investigating the issue and "will take appropriate action to protect our users' security and privacy." We also contacted the other accessory makers and will update this story if we hear back.The researchers recommend updating your audio devices regularly. However, one of their concerns is that many people will never install the third-party manufacturer's app (required for updates), leaving their devices vulnerable.The full report from Wired has much more detail and is worth a read.This article originally appeared on Engadget at https://www.engadget.com/cybersecurity/flaw-in-17-google-fast-pair-audio-devices-could-let-hackers-eavesdrop-194613456.html?src=rss