Millions of bluetooth earbuds at risk due to Google fast pair flaw

Recent research at KU Leuven highlights that hundreds of millions of wireless earbuds, headphones and speakers may be vulnerable to silent takeovers due to a flaw in Google’s Fast Pair system. The issue, named WhisperPair, allows attackers to seize control of Bluetooth accessories without the owner ever putting the device into pairing mode.

Fast Pair is supposed to guarantee that accessories only accept new connections when users deliberately enable pairing. In practice, the researchers found that many devices claiming Fast Pair support fail to enforce this basic safeguard. This means an attacker can initiate pairing anytime outside of this narrow window, even while the accessory is in use.

Once the attacker is connected, he has the same owner rights. This may be used to inject or interrupt audio, perform a volume setting change, and, in some specific cases, even activate the microphone.

Researchers underline that no sophisticated tools are needed to stage the attack, as it can be performed using just an ordinary phone or laptop that is in close vicinity.

The trouble is not caused by Bluetooth technology but by the lack of consistency between the implementation of the Fast Pair specification set by Google. The main goal of Fast Pair is faster connection through the use of Bluetooth Low Energy and cloud technology. However, the enforcement of the connection guideline is dependent on the vendor.

The dangers do not end at audio control. Certain Fast Pair accessories are compatible with the Google Find My Device network. If an attacker is able to connect to the device before the person who actually owns it, then they have the possibility of registering it to their account and tracking it.

Google reports that it was notified of the bug and that it is working to solve the issue with the manufacturers of the devices. An update to the firmware is currently in progress, although many budget-friendly devices either can’t be updated at all or can be updated through companion apps that aren’t frequently used. Turning off Fast Pairing on a phone does not provide much security if the device can accept unwanted pairing requests.

The bug was privately disclosed to the developers last year, and the paper was withheld until the bug was fixed, during which the researchers received a bug bounty.