WhisperPair Vulnerabilities Expose Most Bluetooth Headsets to Audio, Microphone, and Location Takeover

by Justin Erickson

Researchers at KU Leuven have identified a group of flaws – WhisperPair – in the Bluetooth audio devices that use Google’s Fast Pair protocol. It allows an attacker within Bluetooth range to silently pair with a compatible Bluetooth device (headphones, earbuds, speakers) even when they are already paired, then take control of the audio and microphone. In tests, hijacks worked at roughly 14 meters in under 15 seconds on 25 models from 16 different vendors. On some devices that integrate with Google’s Find Hub tracking feature, WhisperPair can be abused for location tracking. If the device is not already linked to a Google account an attacker can have it registered it to their own account and then track it with Find Hub. Those who have their devices compromised may not realize they are being tracked. There is no simple setting to disable Fast Pair. The only way to protect your Bluetooth device is through manufacturer firmware updates – and factory resetting to remove the attacker as paired. Not all devices have a firmware update, as this is a very new vulnerability – and they will stay vulnerable until a patch is issued for their specific device.