Cybersecurity

Google says it fixed a Bluetooth flaw. Researchers claim hackers can still track you

By Leila Sheridan
In many cases, attackers can eavesdrop through speakers and microphones, or even take full control of them. — Pixabay

Google’s Fast Pair, introduced in 2017, transformed how users connect Bluetooth devices by enabling near-instant, one-tap pairing across Android and ChromeOS.

The same convenience that made the feature so popular, however, has also opened the door to serious privacy risks, according to new research. 

A team of scientists from Belgium’s KU Leuven University Computer Security and Industrial Cryptography group found that vulnerabilities in Fast Pair can allow attackers to hijack compatible devices just as easily as legitimate users connect to them.

Which devices are at risks?

The researchers identified the flaw in 17 Fast Pair-enabled audio accessories sold by 10 different companies, including Sony, Jabra, JBL, Marshall, Xiaomi, Nothing, OnePlus, Soundcore, Logitech, and Google itself. 

In many cases, attackers can eavesdrop through speakers and microphones, or even take full control of them. 

“You’re walking down the street with your headphones on, you’re listening to some music. In less than 15 seconds, we can hijack your device,” KU Leuven researcher Sayon Duttagupta said. “Which means that I can turn on the microphone and listen to your ambient sound. I can inject audio. I can track your location.”

More troubling, some Fast Pair-compatible devices can be exploited to track a victim’s location through Google’s device geolocation tracking technology, Find Hub. The risk extends even to iPhone users who have never owned a Google product, researchers found while testing Google Buds Pro 2 earbuds and five models of Sony earbuds and headphone. 

If a Fast Pair device has never been linked to a Google account – as may be the case for iPhone users – an attacker can connect their own Google account to it. “That means that I can now see your device in my Find Hub network wherever you go, at all times, “ Duttagupta explained.

Researchers found that hacking can occur anywhere an attacker and victim are within Bluetooth range. They’ve dubbed the technique “WhisperPair.” Once control is established KU researcher Nikola Antonijević said attackers effectively “own this device and can basically do whatever he wants with it.” 

Google alerted brands, the risk remains for many

Google said it has since alerted affected vendors, several of whom have released security updates. But researchers warn that many users never install those updates, particularly because they require downloading a manufacturer’s app, a step many consumers don’t take or don’t know exists. 

That gap, the researchers argued, could allow the vulnerabilities to persist for months or even years. “If you don’t have the app of Sony, then you’ll never know that there’s a software update for your Sony headphones,” KU Leuven researcher Seppe Wyns said. “And then you’ll still be vulnerable.”

Google published a security advisory in coordination with the researchers, acknowledging the flaws and outlining remediation efforts.

“We worked with these researchers to fix these vulnerabilities, and we have not seen evidence of any exploitation outside of this report’s lab setting,” a spokesperson wrote in a statement to Wired. “We are constantly evaluating and enhancing Fast Pair and Find Hub security.”

Google also said it pushed fixes for its own vulnerable audio accessories and released an update to Find Hub on Android. However, within hours of publication, researchers reported they had already found a bypass that allowed continued device tracking through Find Hub.

Despite those findings, Google maintains that the vulnerability has been fully addressed.

In a statement to Inc, a company spokesperson said, “we rolled out a fix on our end to prevent Find Hub network provisioning in this scenario, which completely addresses the potential location tracking issue across all devices.”

Google also said it has not observed WhisperPair being used outside of controlled research environments. Researchers dispute that claim, arguing that Google may lack visibility into hijackings involving non-Google hardware, meaning the company cannot confidently conclude that WhisperPair is not being exploited in the wild.

For now, users have limited options to protect themselves. There isn’t a way for people to disable Fast Pair on accessories, even for those who never intend to use the feature. As researchers argued, the drive for frictionless connectivity may boil down to the cost of user privacy, one Google is still struggling to protect. – Inc./Tribune News Service

 

Related stories:
Follow us on our official WhatsApp channel for breaking news alerts and key updates!

Next In Tech News
Ubisoft targets new decade of 'Rainbow 6' with China expansion
OpenAI hires creator of 'OpenClaw' AI agent tool
UK’s Starmer wants AI chatbots to follow online safety rules
Tech is thriving in New York. So are the rents
India hosts AI summit as safety concerns grow
Job threats, rogue bots: five hot issues in AI
All-in on AI: what TikTok creator ByteDance did next
New world for users and brands as ads hit AI chatbots
Step into the Lunar New Year with a clean slate: The importance of digital decluttering
UK's Starmer seeks greater powers to regulate online access

Trending in Tech

Others Also Read

Load more

Copyright © 1995- Star Media Group Berhad [197101000523 (10894-D)]

Best viewed on Chrome browsers.