Full Report
Flaws in how 17 models of headphones and speakers use Google’s one-tap Fast Pair Bluetooth protocol have left devices open to eavesdroppers and stalkers.
Analysis Summary
# Vulnerability: WhisperPair - Flaws in Google Fast Pair Protocol Allow Audio Hijacking
## CVE Details
- CVE ID: Not explicitly listed in the provided text (Multiple CVEs likely exist across vendors/models).
- CVSS Score: Not explicitly listed in the provided text.
- CWE: Not explicitly listed in the provided text. (Likely related to improper authentication/authorization during pairing)
## Affected Systems
- Products: 17 models of headphones and speakers compatible with Google Fast Pair, sold by Sony, Jabra, JBL, Marshall, Xiaomi, Nothing, OnePlus, Soundcore, Logitech, and Google itself.
- Versions: Specific vulnerable versions are not specified, but it affects devices utilizing the Fast Pair protocol that have not been patched.
- Configurations: Devices supporting Google's one-tap Fast Pair Bluetooth protocol. Exploitation for tracking requires compatibility with Google's Find Hub feature (affecting specific Google and Sony devices).
## Vulnerability Description
The WhisperPair attack exploits flaws in how 17 models of audio accessories implement Google’s Fast Pair Bluetooth protocol. An attacker within Bluetooth range (approx. 50 feet) can silently pair with and hijack the vulnerable device. This allows for taking control of audio streams, injecting arbitrary audio (at any volume), hijacking microphones to eavesdrop on surroundings, and in the case of specific devices, enabling stealthy, high-resolution location tracking via the Find Hub feature.
## Exploitation
- Status: Proof-of-Concept demonstrated in a lab setting by researchers (Not exploited in the wild, according to Google's statement, though researchers dispute this regarding non-Google devices).
- Complexity: Low (Can be done silently in under 15 seconds).
- Attack Vector: Adjacent (Bluetooth range required).
## Impact
- Confidentiality: High (Microphone hijacking, eavesdropping).
- Integrity: High (Ability to inject arbitrary audio/disrupt communications).
- Availability: Low to Medium (Potential for audio disruption). **Severe impact on location privacy for tracking-enabled devices.**
## Remediation
### Patches
- Google has pushed out fixes for its own vulnerable audio accessories and an update to the Android Find Hub service to prevent tracking exploitation.
- Vendors of the other affected hardware (Sony, Jabra, JBL, etc.) have made security updates available, often requiring the user to install a manufacturer-specific app.
- *Specific patch versions were not detailed in the source.*
### Workarounds
- **Avoid using manufacturer apps for updates:** Consumers must proactively seek out and install firmware updates provided by the accessory manufacturers, often through dedicated mobile applications, as these devices typically do not auto-update critical firmware.
- If technically feasible before patching, disabling the Fast Pair function or pairing mechanism might mitigate the initial attack vector, though this is not explicitly confirmed as effective.
## Detection
- Detection methods for passive hijacking (eavesdropping/audio injection) are not detailed in the provided text, as the attack is designed to be "silent."
- **Indicator of Compromise:** Unexplained audio playback, sudden microphone activation (if monitoring device behavior), or unexpected connection/pairing status changes.
- **Detection Methods:** Primarily relies on applying vendor-released security updates. Google's update to Find Hub aims to prevent tracking exploitation.
## References
- [Link to research summary - defanged](https://whisperpair.eu/)
- [Vendor advisory / News Coverage - defanged](https://www.wired.com/story/google-fast-pair-bluetooth-audio-accessories-vulnerability-patches/)