Researchers at KU Leuven have disclosed WhisperPair, a set of attacks targeting the Google Fast Pair Bluetooth protocol used in many popular earbuds, headphones and speakers. The flaw allows an attacker within Bluetooth range to hijack these devices without user interaction, potentially intercepting audio, controlling playback, accessing microphones and even tracking a user’s location via companion network services.
WhisperPair leverages how some accessories implement Fast Pair’s one-tap pairing feature: vulnerable devices do not properly check whether they should accept a new pairing request. This makes it possible for an unauthorized device to force a connection and take control. Depending on how a device is configured, attackers could play audio at will, eavesdrop on conversations, or misuse location-tracking features tied to connected accounts.
The scope is significant: tests covering more than two dozen commercial devices from multiple brands showed that over two-thirds were susceptible to forced pairing and audio compromise. Affected products include models from Sony, Google, JBL, Jabra, Anker, Nothing, Xiaomi and more.
Because the vulnerability resides in the accessory’s implementation of the Fast Pair protocol rather than the host phone, updating the phone alone is not sufficient, users must install firmware updates from accessory manufacturers to address the issue.
For organizations and individuals using Bluetooth audio devices in daily operations, this incident is a reminder of the broader principle that convenience features can introduce unintended security and privacy risks when not implemented with robust safeguards.
WhisperPair exposes Bluetooth earbuds and headphones to tracking and eavesdropping | Malwarebytes
Researchers demonstrated WhisperPair, a set of attacks that can take control of many widely used Bluetooth earbuds and headphones without user interaction.
malwarebytes.com
Top comments (0)