Full Report
Sloppy implementation of Google spec leaves 'hundreds of millions' of devices vulnerable Hundreds of millions of wireless earbuds, headphones, and speakers are vulnerable to silent hijacking due to a flaw in Google's Fast Pair system that allows attackers to seize control without the owner ever touching the pairing button.…
Analysis Summary
# Vulnerability: Silent Hijacking of Fast Pair Enabled Bluetooth Accessories (WhisperPair)
## CVE Details
- CVE ID: Not explicitly provided in the text, referred to as "WhisperPair."
- CVSS Score: Not explicitly provided in the text.
- CWE: Likely related to Improper Access Control or Insecure Default Configuration.
## Affected Systems
- Products: Wireless earbuds, headphones, and speakers implementing Google's Fast Pair system.
- Versions: Unspecified; affects devices with "sloppy or incomplete implementations of Google's Fast Pair specification."
- Configurations: Devices that fail to enforce the requirement that accessories only accept new pairing requests when explicitly placed into pairing mode by the user.
## Vulnerability Description
The vulnerability, dubbed "WhisperPair," stems from device manufacturers' poor implementation of the Google Fast Pair specification. Correctly implemented Fast Pair requires accessories to only accept pairing requests when the user manually initiates pairing mode. However, many affected accessories incorrectly accept new connection requests at any time, irrespective of the accessory's state. This allows an attacker within Bluetooth range to hijack the device by initiating a pairing process before the legitimate owner.
## Exploitation
- Status: Researchers confirmed the ability to exploit this flaw; it is not stated if exploitation is widespread in the wild, but the potential is high due to device ubiquity.
- Complexity: Low. Attacks require only a nearby phone or laptop; no exotic hardware or nation-state resources are needed.
- Attack Vector: Adjacent (Bluetooth range).
## Impact
- Confidentiality: High (Attackers can potentially activate and listen via the microphone on some devices).
- Integrity: High (Attackers can seize control, interrupt audio, or manipulate volume).
- Availability: Medium (Interruption of audio service). If devices are registered by an attacker, legitimate owners may lose access or control.
## Remediation
### Patches
- Vendor-specific firmware updates are currently being released for some devices. Device owners must check manufacturer advisories for specific updates.
### Workarounds
- Switching Fast Pair off on the phone does not fully mitigate the issue if the accessory firmware remains vulnerable.
- Physical proximity to the accessory is required. Keeping the accessory away from unknown or unsecured environments may offer temporary protection.
## Detection
- Indicators of Compromise: Unexpected connection requests, new pairing prompts when none were intended, or unauthorized changes in audio/device control.
- Detection Methods and Tools: No specific detection tools are mentioned, but monitoring Bluetooth connection logs or utilizing tools capable of auditing Bluetooth accessory connection states might reveal unauthorized pairings.
## References
- KU Leuven researchers' findings: hxxps://www.esat.kuleuven.be/cosic/news/whisperpair-hijacking-bluetooth-accessories-using-google-fast-pair/