Researchers from KU Leuven have announced a series of vulnerabilities in the quick connection feature of Bluetooth headphones and speakers on Android/ChromeOS. According to their description, the attack could give third parties access to control the device and, in certain scenarios, location tracking.
Researchers from KU Leuven have announced a series of vulnerabilities in the quick connection feature of Bluetooth headphones and speakers on Android/ChromeOS. According to their description, the attack could give third parties access to control the device and, in certain scenarios, location tracking.
According to TechRadar, researchers have named the set of issues WhisperPair and verified that it affects 17 popular models from various brands, including Google, Sony, JBL, Jabra, Logitech, Marshall, Nothing, OnePlus, Xiaomi, and others. The essence of the risk is that an attacker within Bluetooth range could try to connect to the headset as easily as a legitimate user and bypass the «one device, one owner» restriction in multi-connection mode.
In the worst case, this could allow the user to turn on the microphone for eavesdropping, play sound in headphones, or control the speaker. If the accessory supports Find Hub (a search and tracking service), the attacker could link the device to their account and see its movements. The authors note that the scenario is possible even for iPhone owners who have never used Google services: the system may consider the first Android device that connects to the device to be the «owner».
The attack, according to the description, only requires Bluetooth proximity and the device’s model ID, which can be obtained by having the same gadget or by requesting a public API. It is impossible to disable Fast Pair on Android, so the main advice is to update the firmware of the headphones/speakers via the manufacturer’s application, if a patch has already been released.
Fast Pair was designed as a «one-tap connect» feature, but researchers point out that without stricter verification during reconnection, attackers can use the convenience as an entry point.
Previously, dev.ua wrote about how cybersecurity researchers are warning about a vulnerability in Telegram that allows attackers to obtain the real IP addresses of Android and iOS users, even when using a built-in proxy.
