Millions of audio devices need patch to prevent wireless hacking and tracking

Flaws in the way 17 models of headphones and speakers use Google's One-touch Bluetooth Fast Pair protocol have left the devices open to eavesdropping and stalkers.

Google created a wireless protocol known as Fast Pair to optimize the ultra-convenient connection: It allows users to pair Bluetooth apps with Android and ChromeOS devices with a single tap.Now, a team of researchers has discovered that the same protocol could also allow hackers to connect millions of headphones, earphones, and speakers with a single convenient connection.The result is a vast collection of Fast Pair-compatible audio devices that allows any spy or stalker to take control of the speakers and microphones, or in some cases track the target's location, even if the victim is an iPhone user who has never owned a Google product.

Today, security researchers from the Computer Security and Industrial Cryptography Group at KU Leuven in Belgium are disclosing a set of vulnerabilities found in 17 audio accessories that use the Google Fast Pair protocol and are sold by 10 different companies: Sony, Jabra, JBL, Marshall, Xiaomi, Nothing, OnePlus, Google Logcore and itself.The hacking techniques the researchers demonstrated, which they call WhisperPair, allow anyone within Bluetooth range of these devices (about 50 feet in our tests) to silently pair with audio peripherals and steal them.

Depending on the device, the trainer can intercept or delete audio streams or phone conversations, play their own audio through the victim's headphones or speakers at any volume they choose, or remove undetected microphones to listen to the victim's environment.Unfortunately, some of the devices sold by Google and Sony are compatible with Google's geolocation tracking feature, Search Hub, which can also be used to track a thief in high resolution.

"You walk down the street with your headphones on, listening to music. In less than 15 seconds we can steal your device," said Sayon Duttagupta, a researcher at KU Leuven."That means I can turn on the microphone and listen to your ambient sound. I can input audio. I can track your location."

Researcher Nikola Antonijević added that "the attacker now has this device and he can do whatever he wants with it."

The researchers demonstrate their hacking and tracking techniques in the video below:

Google today published a security advisory in connection with the researchers, accepting the findings and explaining the efforts to fix the problem.Since the first researchers announced their work to the company in August, they said, Google appears to have noticed at least some vendors of vulnerable devices, many of which have already updated their security.house

In most cases, applying an update requires installing the manufacturer's app on your phone or computer—a step most users need."Says Ku Leuven researcher Seppe Wyns."And then you will still be sensitive."

When contacted, a Google spokesperson responded in a statement thanking the researchers and confirming WhisperPair's findings.

Google has released patches for its own vulnerable audio devices and released an update to Android's Find Hub that the company says will prevent rogue actors from using WhisperPair to track down victims.However, within hours of Google notifying researchers about the patch, they said they had found a workaround for the patch and were still able to perform their Find Hub tracking technology.Google did not immediately respond to a request for comment on the researchers' omission of their patch.

As for Google's claim that it hasn't seen the WhisperPair vulnerability in the wild, the researchers point out that Google doesn't have the ability to track theft of audio accessories unrelated to Google devices.

It also covered nine other companies that KU Leuven researchers determined to be at risk.Xiaomi said in a statement that it "meets Google with the relevant parties and works with vendors to release [over-the-air] updates" in response to Redmi headphones.JBL, which is owned by Harman Audio, said in a statement that "JBL has been advised of security measures that may affect devices including Google headphones and speakers. Security measures" We have received from Google and the software will be updated with JBL apps in the next few weeks.

In a statement, Jabra responded that it had released fixes for Bluetooth vulnerabilities in the Airoha chipset used in its accessories in June and July.The researchers said they didn't tell anyone about their findings until August, suggesting Gebra could have confounded their work with unrelated findings from June.

Logitech said it has "included a firmware patch for upcoming production units" and indicates that the affected device, the Wonderboom 4 speaker, does not have a microphone that can be used as a pillow.OnePlus said the company is looking into the issue.Marshall, Nothing and Sony did not respond to a request for comment.

The researchers' WhisperPair attack exploits a collection of flaws in the Fast Pair implementation of the devices the team tested.At its most basic, Google's specification for Quick Pair devices states that they cannot be paired with a new computer or phone while they are already paired.But for 17 vulnerable devices, anyone can silently pair with the target device, even if it is already paired.

Using the fast pair vulnerability discovered by the researchers, an attacker only needs to be in Bluetooth range and obtain a so-called model ID value that is specific to the target device model.The researchers noted that these model IDs can be obtained if an attacker owns or has purchased a device of the same model as the target.They also note that in some cases this device ID is shared when a computer or phone tries to connect to it.And in addition to the two methods of obtaining the correct model ID for a target device, the researchers also found that they could query the publicly available Google API for any possible model ID and determine it for all devices.

In their experiments, the KU Leuven team used a low-cost Raspberry Pi 4 minicomputer to test their technology, trying to connect it to 25 already paired Fast Pair devices from 16 different vendors, and found that most of the devices and vendors they tested were vulnerable.Think about it - acquisitions took 10-15 seconds, they say.

The Google Pixel Buds Pro 2 earbuds and five models of Sony earbuds and headphones that were tested also had a clear and troubling security flaw.If the devices had not previously been connected to a Google account, for example because they were only used with an iPhone, a hacker could use WhisperPair to not only connect it to the targeted accessory, but also to connect it to their Google account.Google's system is designed to identify the first Android device that pairs with the headphones or other peripherals as the owner.This trick It would allow the hacker to use Google's Find Hub feature, which tracks the device's geolocation based on its connections with surrounding devices and tracks the target user's movements."This means I can now see your device in my Find Hub network wherever you go, at all times," says Duttagupta.

With this tracking method, the victim will immediately receive a notification on their smartphone that a Find Hub device is tracking them, thanks to security features designed by Google and Apple to prevent Find Hub devices from being used to inadvertently track a victim.the researchers argued.

For all these issues, users cannot easily change settings to protect themselves.Even if you never use Fast Pairing, Vince says there's no way to turn it off."Factory resetting a device prevents the attacker from accessing it and requires them to attack again, but it is enabled by default on all supported devices."

The WhisperPair vulnerabilities appear to stem from complex and interrelated issues.Researchers show that it is common for peripheral manufacturers and chipmakers to make mistakes when implementing the Fast Pair technology standard.Not all of these errors lead to safety concerns, but the extent of the confusion raises questions about the strength of the standard, the researchers say.

Google offers a Validator app in the Play Store that sellers must use to certify their products for Fast Pair.According to the description, the app "verifies that the Fast Pair feature is properly implemented on the Bluetooth device," generating reports on whether the product has or has failed the Fast Pair implementation assessment.The researchers note that all devices they tested in their work had a Google-verified Fast Pair implementation.This likely means that the Google app was classified as meeting its requirements even though its implementations had dangerous flaws.Furthermore, Fast Pass-certified devices then undergo testing at select Google labs, which review positive result reports and then directly evaluate physical device samples prior to mass production to confirm they are compliant with the Fast Pair standard.

Google says the Fast Pair specification provides clear requirements and the Validator app is primarily designed as a support tool for manufacturers to test basic functionality.Following the discovery by KU Leuven researchers, the company says it has added new implementation tests targeting Fast Pair requirements.

In the end, the researchers said, it is difficult to determine whether the problems that made WhisperPair vulnerable were due to errors by device manufacturers or chip manufacturers.

All the chipmakers that produce chipsets used in sensitive audio accessories—Actions, Aroha, Bastechnik, MediaTek, Qualcomm and Realtek—were contacted, but no one responded.In its comment to Xiaomi, "We have confirmed internally that the problem you are referring to is caused by an unusual configuration of the chip suppliers in relation to the Google Fast Pair protocol."Aroha in Redmi Buds 5 Pro The manufacturer of the chip used is the one that researchers have identified as vulnerable.

Who is to blame for WhisperPair's weakness?A simple change to the Fast Pair specification would solve the fundamental problem behind WhisperPair: Fast Pair must encrypt the pairings intended by the accessory's owner, and secondly,Researchers stress not to pin a fraudulent "owner."

Currently, Google and many device manufacturers are ready to update software to address specific vulnerabilities.However, the installation of these patches can be inconsistent, which is almost always the case with Internet of Things security.The researchers urge all users to update their vulnerable accessories and direct users to a website they created to provide a searchable list of devices affected by WhisperPair.Incidentally, they say people should use WhisperPair as a more general reminder for all their devices to update their Internet of Things.

The broader message of their research, they say, is that device makers need to prioritize security while adding ease-of-use features.After all, the Bluetooth protocol itself had none of the vulnerabilities they found—just a single-pipe protocol that Google built on top to make pairing easier.

"Yes, we want to make our lives easier and our devices work better," Antonievich said. "Convenience does not mean less security. But while pursuing convenience, we cannot forget security."