Researchers Warn of Eavesdropping Vulnerabilities in Popular "Fast Pair" Bluetooth Devices

A team of researchers from KU Leuven have warned of a security vulnerability in popular Bluetooth accessories like earphones and headsets — thanks to a faulty implementation of Google's Fast Pair standard.

"Google Fast Pair enables one-tap pairing and account synchronization across supported Bluetooth accessories," the researchers explain of their findings. "While Fast Pair has been adopted by many popular consumer brands, we discovered that many flagship products have not implemented Fast Pair correctly, introducing a flaw that allows an attacker to hijack devices and track victims using Google's Find Hub network. We introduce WhisperPair, a family of practical attacks that leverages a flaw in the Fast Pair implementation on flagship audio accessories. Our findings show how a small usability 'add-on' can introduce large-scale security and privacy risks for hundreds of millions of users."

Using Fast Pair, a "seeker" device, typically a smartphone, can send a signal to a "provider" device to trigger pairing, with the understanding that the "provider" should only respond to the request if it's in pairing mode. Unfortunately, the researchers found that common implementations of Fast Pair skipped that step — meaning it they respond to "seeker" requests even when in active use, disconnecting from their currently-paired device and connecting to an attacker's device instead.

"This gives an attacker complete control over the accessory," the researchers warn, "allowing them to play audio at high volumes or record conversations using the microphone. This attack succeeds within seconds (a median of 10 seconds) at realistic ranges (tested up to 14 meters [around 46 feet]) and does not require physical access to the vulnerable device."

A second vulnerability was also discovered: if a Fast Pair accessory hasn't yet been paired with an Android device, an attacker can add it to their own account on Google's Find Hub — allowing them to track the owner wherever they go. "The victim may see an unwanted tracking notification after several hours or days," the researchers admit, "but this notification will show their own device. This may lead users to dismiss the warning as a bug, enabling an attacker to keep tracking the victim for an extended period."

More information on the vulnerability is available on the WhisperPair website; the researchers have also published a list of known-vulnerable and known-safe devices, with the former requiring a firmware update from the manufacturer to be written and published in order to close the security hole.