WhisperPair flaw in Fast Pair lets attackers hijack and eavesdrop on Bluetooth earbuds

Researchers disclosed a family of vulnerabilities called WhisperPair that affect implementations of Google's Fast Pair protocol, which is used to connect Bluetooth headphones, earbuds and other audio accessories. As first reported by Wired, the flaws were uncovered by a team at Belgium's KU Leuven University with support from the government's Cybersecurity Research Program.

The researchers say the issue stems from many accessories skipping a critical check during Fast Pair: a seeker (a Bluetooth-enabled device) can send a pairing request that should be ignored unless the accessory is in pairing mode. When that check is missing, an unauthorized device can initiate pairing, and an attacker can complete the procedure by establishing a regular Bluetooth pairing.

If an attacker covertly pairs with vulnerable headphones or earbuds they could gain full control of the accessory, including tampering with controls such as volume and potentially recording conversations via built-in microphones. Tests were conducted at ranges up to 14 metres. The researchers also warn attackers could register unpaired devices to their own Google Find Hub account and track the accessory, with a notification that may be ignored because it shows only the user's own device.

Devices from vendors including Google, Sony, Harman (JBL) and Anker were listed as vulnerable; both Android and iPhone users with affected accessories can be at risk.

Key Topics

Tech, Whisperpair, Fast Pair, Ku Leuven, Google, Find Hub