Google’s Fast Pair protocol, designed for convenient one-tap Bluetooth connections for Android and ChromeOS devices, has been found to contain significant security vulnerabilities. Researchers have discovered that this protocol can allow unauthorized individuals to easily connect to hundreds of millions of earbuds, headphones, and speakers. This flaw creates a large number of Fast Pair-compatible audio devices that could be exploited by an attacker to take control of speakers and microphones, and in some cases, track a target’s location, even if the user owns an iPhone and has no Google products.
Security researchers from KU Leuven University’s Computer Security and Industrial Cryptography group are revealing a collection of vulnerabilities they found in 17 audio accessories that utilize Google’s Fast Pair protocol. These devices are sold by 10 different companies: Sony, Jabra, JBL, Marshall, Xiaomi, Nothing, OnePlus, Soundcore, Logitech, and Google itself. The hacking techniques demonstrated by the researchers, collectively named WhisperPair, would allow anyone within Bluetooth range of these devices—approximately 50 feet in their testing—to silently pair with audio peripherals and hijack them.
Depending on the specific accessory, an attacker could take over or disrupt audio streams or phone conversations, play their own audio through the victim’s earbuds or speakers at any chosen volume, or undetectably activate microphones to listen to the victim’s surroundings. More critically, certain devices from Google and Sony that are compatible with Google’s device geolocation tracking feature, Find Hub, could also be exploited to enable stealthy, high-resolution stalking.
A KU Leuven researcher, Sayon Duttagupta, explained that an attacker could hijack a device in less than 15 seconds, enabling them to activate the microphone, inject audio, and track the user’s location. Another researcher, Nikola Antonijević, added that the attacker would essentially
