This strange Google Fast Pair flaw even puts users with iPhones at risk
Summary created by Smart Answers AI
In summary:
- Macworld reports on WhisperPair, a serious vulnerability in Google Fast Pair that affects Bluetooth devices from brands like Sony, putting Android and iPhone users at risk.
- Hackers can exploit this flaw to play unauthorized audio, record through device microphones, or track users, while Apple AirPods and AirTags remain secure.
- Users should seek firmware updates from manufacturers to repair vulnerable devices, even if updates are not always available for affected products.
Updated: Google contacted us to let us know that the Pixel Buds were patched to fix this vulnerability some time ago, and that the results represented in the WhisperPair list of vulnerable devices represent testing done months ago.
If you’re using a Bluetooth device that supports Google Fast Pair, there’s a good chance it could be hijacked by a hacker, who could then play audio, record through the device’s microphone, or even track you if the device also supports Google Find Hub. And you’re not safe just because you’re using an iPhone or Mac: the vulnerability lies in the device itself, and the hacker implements it from their own device within Bluetooth range.
The vulnerability, called WhisperPair, exploits a flaw in the way many Bluetooth devices implement Google Fast Pair technology. Here’s how it works:
When a host device (like your phone or laptop) attempts to pair with an accessory using Google Fast Pair (like headphones), it attempts to communicate with the accessory it wants to pair. If the device is not in pairing mode, Fast Pair is supposed to ignore any further actions or requests. But according to researchers from the COSIC group at KU Leuven, some devices do not implement this protocol correctly, allowing the host to associate with the accessory anyway.
If you use Apple accessories like AirPods or AirTags, you’re in the clear. These do not support Google Fast Pair. But if you use popular Bluetooth accessories from other brands, such as Google Pixel Buttons (fixed – see note above) or Sony WH-1000 headphones, they have been tested to be vulnerable. And since this vulnerability exists in the accessories themselves, it doesn’t matter whether you’re using an iPhone or an Android, a Mac or a PC.
You can search for a list of known vulnerable and safe products on the WhisperPair site. It’s worth noting that the only Beats product that has been tested is the Solo Buds, and it has been cleared of its vulnerability. Several other models are listed on the site but have not been properly tested.
If you have a vulnerable device, a fix will need to take the form of a firmware update for that device. You will need to check in the future whether the manufacturer of your Bluetooth accessory has released a firmware update and apply it. This may take a while, and for many accessories it may never arrive.
