- Researchers have found a vulnerability in Fast Pair implementation that could let bad actors connect to audio devices to eavesdrop or track victims’ locations.
- Google says it has “worked with these researchers to fix these vulnerabilities.”
- Updates from audio device manufacturers are required to patch the vulnerability. It’s recommended users update their devices ASAP.
- The researchers say “many manufacturers have released patches for their impacted devices,” but to check with your device’s manufacturer to be sure.
There’s a significant security vulnerability in many manufacturers’ implementation of Google’s Fast Pair protocol that could affect a wide variety of popular audio accessories. Security researchers at Belgian university KU Leuven have made public information about what they’ve dubbed WhisperPair, a set of cyber attacks that, leveraging a flaw in Fast Pair implementation, can be used to hijack audio devices, letting bad actors potentially track user location or eavesdrop on private conversations.
As reported by Wired, researchers with KU Leuven’s Computer Security and Industrial Cryptography group (COSIC) managed to exploit Google Fast Pair to connect to target devices like earbuds and headphones, with no physical access required. Once connected, the researchers were able to play audio on or listen to audio recorded by target devices, and even track the devices using Google’s Find Hub network. This is a serious issue affecting devices from the likes of Sony, JBL, Soundcore, and Google — but a firmware update can patch the vulnerability.