Many Bluetooth devices with Google Fast Pair vulnerable to “WhisperPair” hack

Pairing Bluetooth devices can be a pain, but Google Fast Pair makes it almost seamless. Unfortunately, this can also make your headphones vulnerable to remote hacking. A team of security researchers from KU Leuven University in Belgium has revealed a vulnerability called WhisperPair that allows an attacker to hijack Fast Pair-enabled devices to spy on their owner.

Fast Pair is widely used and your device may be vulnerable even if you have never used a Google product. The bug affects more than a dozen devices from 10 manufacturers, including Sony, Nothing, JBL, OnePlus and Google itself. Google has acknowledged the flaw and informed its partners of the danger, but it’s up to those individual companies to create fixes for their accessories. A full list of vulnerable devices is available on the project website.

Researchers say it takes only an instant to take control of a vulnerable Fast Pair device (a median of just 10 seconds) at distances up to 14 meters. This is close to the limit of the Bluetooth protocol and far enough away that the target won’t notice anyone lurking while they hack headphones.

Once an attacker has forced a connection to a vulnerable audio device, they can perform relatively harmless actions, such as interrupting the audio stream or playing audio of their choice. However, WhisperPair also allows location tracking and microphone access. So the attacker can listen to your conversations and track you via the Bluetooth device in your pocket. Researchers have created a helpful video dramatization (below) that shows how WhisperPair can be used to spy on unsuspecting people.