- Attackers Can Hack Your Speaker Microphones and Track Your Location
- The vulnerability is in Google’s Fast Pair feature
- Researchers say the flaw could affect millions of devices
Google’s Fast Pair feature is designed to let you connect your headphones and speakers to your Android or ChromeOS device with just one tap. However, it now appears that the price of that convenience is a security vulnerability that could leave millions of devices exposed to hackers and spies.
That surprising discovery was made by security researchers from the Industrial Cryptography and Computer Security group at KU Leuven University in Belgium (via Wired), who are calling the collection of vulnerabilities WhisperPair.
There, an investigation found that hackers could access 17 major models of headphones and speakers as easily as regular users. The devices are manufactured by companies across the industry, including Google, Jabra, JBL, Logitech, Marshall, Nothing, OnePlus, Sony, Soundcore and Xiaomi.
In practice, an intruder could potentially gain control over your device’s microphone and speakers or even track your location. That would allow them to play their own audio in their headphones or silently turn on their microphones and listen to their conversations.
If the target device supports Google’s Find Hub location tracking system, they could follow you in the real world. And as scary as it may seem, it’s not even the first time dangerous hackers have broken into Find Hub.
Worse yet, this can be done even if the victim’s device runs iOS and the target has never used a Google product before. If your device has never been connected to a Google account (which could be the case if you’re an iPhone user), a hacker could not only spy on it but also link it to your own Google account.
This is because Google’s system identifies the first Android device that connects to the target speakers or headphones as the owner, a weakness that would allow a hacker to track its location in its own Find Hub app.
How does it work?
To do this, all an attacker needs is to be within Bluetooth range and have the model ID of the target device on hand. A hacker could obtain this model ID by owning the same device model as the target or by querying a publicly available Google API.
One way WhisperPair works is through a flaw in Fast Pair’s multi-device configuration. Google says that a paired device should not be able to pair with a second phone or computer. However, the researchers were able to get around this limitation very easily.
Because there is no way to disable Fast Pair on an Android device, you cannot simply disable it to avoid the vulnerability. Many of the affected companies have deployed patches in an attempt to remedy the problem, but security researchers point out that getting these fixes requires downloading the manufacturer’s app and getting a patch from there, something many speaker and headphone users don’t know to do.
If you own a speaker or pair of headphones from one of the affected companies, it’s important to download their app and install the fix as soon as possible. A WhisperPair website has been created that allows you to search a list of vulnerable devices to see if you are likely to be affected, so be sure to check it out.
Researchers have suggested that Fast Pair should cryptographically enforce the desired device pairing and should not allow a second user to pair without authentication. But until that happens, updating your devices is all you can do.
Follow TechRadar on Google News and add us as a preferred source to receive news, reviews and opinions from our experts in your feeds. Be sure to click the Follow button!
And of course you can also follow TechRadar on TikTok for news, reviews, unboxings in video form and receive regular updates from us on WhatsApp also.
