Your headphones may be tracking you – how a Google Fast Pair exploit lets hackers spy in seconds | Daily Reports Online
- Attackers can hack your speaker’s microphones and track your location
- The vulnerability is found in Google’s Fast Pair feature
- Researchers say the flaw could affect millions of devices
Google’s Fast Pair feature is meant to let you connect your headphones and speakers to your Android or ChromeOS device with just one tap. Yet now it seems that the price of that convenience is a security vulnerability that could leave millions of devices open to hackers and eavesdroppers.
That startling discovery was made by security researchers at Belgium’s KU Leuven University Computer Security and Industrial Cryptography group (via Wired), who are dubbing the collection of vulnerabilities WhisperPair.
There, an investigation found that 17 major headphone and speaker models could be accessed by hackers just as easily as regular users. The devices are made by companies across the industry, including Google, Jabra, JBL, Logitech, Marshall, Nothing, OnePlus, Sony, Soundcore and Xiaomi.
In practice, an intruder could potentially gain power over your device’s microphone and speakers or even track your location. That would allow them to play their own audio into your earphones or silently switch on your microphones and eavesdrop on your conversations.
If the target device is compatible with Google’s Find Hub location tracking system, they could follow you in the real world. And as scary as that sounds, it’s not even the first time that Find Hub has been broken into by dangerous hackers.
Worse, this can even be done if the victim’s device runs iOS and the target has never used a Google product before. If your device has never been connected to a Google account – which might be the case if you’re an iPhone user – a hacker could not only snoop on it but also pair it to their own Google account.
That’s because Google’s system identifies the first Android device that connects to target speakers or headphones as the owner, a weakness that would let a hacker track your location in their own Find Hub app.
How does it work?
In order to do this, all an attacker needs is to be within Bluetooth range and to have the target device’s model ID to hand. A hacker could obtain this model ID if they own the same device model as the target or by querying a publicly available Google API.
One way WhisperPair works is through a flaw in Fast Pair’s multi-device setup. Google says that a paired device shouldn’t be able to be paired to a second phone or computer. Yet the researchers were able to bypass this limitation very easily.
Because there’s no way to disable Fast Pair on an Android device, you can’t simply switch it off in order to avoid the vulnerability. Many of the affected companies have rolled out patches in an attempt to remedy the problem, but the security researchers point out that getting these fixes requires downloading a manufacturer’s app and getting a patch from there – something many users of speakers and headphones are not aware that they need to do.
If you own a speaker or pair of headphones from one of the impacted firms, it’s important to download their app and install the fix as soon as you can. A WhisperPair website has been created that lets you search through a list of vulnerable devices to see if you are likely to be affected, so be sure to check that.
The researchers have suggested that Fast Pair should cryptographically enforce your desired device pairing and should not allow a second user to pair without authentication. But until that happens, updating your devices is about all you can do.
Follow TechRadar on Google News and add us as a preferred source to get our expert news, reviews, and opinion in your feeds. Make sure to click the Follow button!
And of course you can also follow TechRadar on TikTok for news, reviews, unboxings in video form, and get regular updates from us on WhatsApp too.
