Researchers from KU Leuven University's Computer Security and Industrial Cryptography group have identified a set of vulnerabilities, named WhisperPair, within Google's Fast Pair wireless protocol. This protocol is designed to simplify Bluetooth connections between Android/ChromeOS devices and audio peripherals. The vulnerabilities could enable unauthorized connections to various compatible audio devices, with affected manufacturers including Sony, Jabra, JBL, Marshall, Xiaomi, Nothing, OnePlus, Soundcore, Logitech, Google, Anker, and Harman.
Discovery of Vulnerabilities
The research team discovered the WhisperPair vulnerabilities, which they reported to Google in August. Google confirmed the findings and subsequently awarded the researchers a $15,000 bounty.
Details of the Flaw
The vulnerabilities reportedly stem from improper implementation of the Fast Pair protocol by some hardware partners. When a phone or laptop initiates a pairing request, devices not in pairing mode should typically reject it. However, vulnerable devices fail to do so, potentially allowing unauthorized parties to complete the pairing process without user consent. Google stated that the flaw resulted from partners' improper implementation, allowing a hacker's device to pair with an already connected audio device.
Potential Impact and Attack Mechanics
An attacker within Bluetooth range, estimated at up to 50 feet (approximately 14 meters), could exploit these vulnerabilities in approximately 10 to 15 seconds. Potential actions for an attacker include:
- Establishing unauthorized connections to audio devices.
- Disrupting or taking control of audio streams or phone calls.
- Playing audio through the victim's earbuds or speakers.
- Activating and utilizing device microphones to monitor ambient sound or record conversations.
- Adjusting device volume or changing tracks.
- For specific Google and Sony devices compatible with Google's Find Hub network, the flaw could enable user location tracking.
Google noted that accessing the microphone or injecting audio would require complex, multi-stage attacks within Bluetooth range.
Affected Devices and Brands
The research identified vulnerabilities in 17 audio accessories from 10 companies, with a broader list of affected brands including Sony, Jabra, JBL, Marshall, Xiaomi, Nothing, OnePlus, Soundcore, Logitech, Google, Anker, and Harman.
Google's Pixel Buds are reported to have been patched. OnePlus stated it is investigating the issue. Researchers have also provided a search tool for users to check device vulnerability.
Google's Response and Remediation
In conjunction with the researchers, Google published a security advisory confirming the findings. The company reportedly informed affected vendors and provided recommended fixes to OEM partners in September. Google also updated its Validator certification tool and requirements for Fast Pair.
A fix for Google's Find Hub network was rolled out to address a scenario where an un-paired audio accessory could be linked to an unauthorized Google account for tracking purposes. However, researchers reported finding a workaround for this specific patch shortly after its release. Google stated that it has not observed any exploitation of the vulnerability outside of laboratory settings.
Recommendations and Ongoing Concerns
Google and the researchers advise users to install the latest firmware updates for their audio devices, as software updates are presented as the primary method to prevent WhisperPair attacks.
However, KU Leuven researchers cautioned that many accessories may continue to be affected for months or years, citing that consumers frequently do not update the software on such internet-of-things devices or may not install manufacturer apps required for updates.