Hundreds of Millions of Audio Devices Need a Patch to Prevent Wireless Hacking and Tracking
Google offers a Validator app through the Play Store that vendors must run as part of certifying their products to use Fast Pair. According to its description, the app “validates that Fast Pair has been correctly implemented on a Bluetooth device,” producing reports indicating whether a product has passed or failed an assessment of its Fast Pair implementation. The researchers point out that all of the devices they tested in their work had their Fast Pair implementation certified by Google. This likely means that Google’s app classified them as meeting its requirements, even though their implementations had dangerous flaws. On top of that, certified Fast Pass devices then undergo testing at Google-selected labs that review pass reports and then directly evaluate physical device samples before full-scale manufacturing to confirm they meet the Fast Pair standard.
Google says the Fast Pair specification provided clear requirements and that the Validator app was designed primarily as a support tool for manufacturers to test basic functionality. Following the disclosure from KU Leuven researchers, the company claims to have added new implementation tests specifically tailored to Fast Pair’s requirements.
Ultimately, researchers say, it’s difficult to determine whether the implementation issues that led to the WhisperPair vulnerabilities came from errors on the part of device makers or chipmakers.
WIRED contacted all chipmakers that make the chipsets used by the vulnerable audio accessories (Actions, Airoha, Bestechnic, MediaTek, Qualcomm and Realtek), but none responded. In its comments to WIRED, Xiaomi noted: “We have confirmed internally that the issue you mentioned was due to non-standard configuration by chip suppliers with respect to the Google Fast Pair protocol. » Airoha is the manufacturer of the chip used in the Redmi Buds 5 Pro that researchers identified as vulnerable.
Regardless of who is responsible for WhisperPair’s vulnerabilities, the researchers point out that a conceptually simple change to the Fast Pair specification would solve the more fundamental problem behind WhisperPair: Fast Pair should cryptographically enforce the pairings intended by the prop owner and not allow a secondary, malicious “owner” to associate without authentication.
For now, Google and many device makers have software updates ready to fix specific vulnerabilities. But installations of these patches are likely to be inconsistent, as is almost always the case with Internet of Things security. The researchers urge all users to update their vulnerable devices and direct them to a website they created that provides a searchable list of devices affected by WhisperPair. Besides, they say everyone should use WhisperPair as a more general reminder to update all their Internet of Things devices.
The broader message from their research, they say, is that device makers need to prioritize security when adding easy-to-use features. After all, the Bluetooth protocol itself didn’t contain any of the vulnerabilities discovered, just the one-click protocol that Google built on top of it to make pairing more convenient.
“Yes, we want to make our lives easier and our devices run smoother,” says Antonijević. “Convenience does not immediately mean less security. But in the pursuit of convenience, we must not neglect security.”
