This is how hackers can hijack your earbuds to spy on you

This type of cyber attack that exploits vulnerabilities in Fast Pair has been pre-emptively called WhisperPair by the researchers. It could allow any threat actor within 50 feet of their victim to silently pair with the targeted audio peripherals and hijack them, they said.

Once compromised, these devices could be used by hackers to disrupt phone conversations, play their own audio, or use the device’s microphones to listen to the victim’s surrounding conversations. Additionally, a few Google- and Sony-made devices compatible with the search giant’s device geolocation tracking feature called Find Hub, could allow threat actors to stalk victims in real-time if compromised.

The researchers’ findings underscore the need for device manufacturers to prioritise security over seamless connectivity and easy-to-use features such as Google’s one-tap wireless protocol. To be sure, the Bluetooth protocol itself did not contain any vulnerabilities and were limited to the Fast Pair protocol built on top of it.

The Sony ULT Field 1 Bluetooth speaker. Image used for representational purposes only. (Credit: Nandagopal Rajan/The Indian Express)

“You’re walking down the street with your headphones on, you’re listening to some music. In less than 15 seconds, we can hijack your device. Which means that I can turn on the microphone and listen to your ambient sound. I can inject audio. I can track your location,” KU Leuven researcher Sayon Duttagupta was quoted as saying by Wired.

“The attacker now owns this device and can basically do whatever he wants with it,” another researcher, Nikola Antonijević, said. “Yes, we want to make our life easier and make our devices function more seamlessly. Convenience doesn’t immediately mean less secure. But in pursuit of convenience, we should not neglect security,” he added.

In response to the security researchers’ findings, Google confirmed the vulnerabilities in Fast Pair but said that there was no evidence of any active exploitation outside of the researchers’ lab setting. “We are constantly evaluating and enhancing Fast Pair and Find Hub security,” a company spokesperson was quoted as saying.

Google has also reportedly alerted a few of the vendors of the vulnerable devices and pushed out security patches for its own vulnerable audio accessories, including an update to Find Hub in Android to prevent threat actors from using WhisperPair to track victims.

Electronics manufacturers generally use Google’s official Validator App on the Play Store to get their products certified to use Fast Pair.

“Xiaomi has been in communication with Google and other relevant parties and working with suppliers to roll out [over-the-air] updates. We have confirmed internally that the issue you referenced was caused by a non-standard configuration by chip suppliers in relation to the Google Fast Pair protocol,” a company spokesperson was quoted as saying by Wired.

Nothing CMF Headphone Pro. Image used for representational purposes only. (Credit: Anuj Bhatia/Indian Express)

“Google has advised JBL about potential security vulnerabilities that could impact devices including headphones and speakers. We have received the security patches from Google and the software will be updated via JBL apps over the next few weeks,” Harman Audio-owned JBL said. Logitech reportedly said it has “integrated a firmware patch for upcoming production units” and OnePlus is reportedly looking into the issue.

Modus operandi

The researchers said that a WhisperPair attack would potentially exploit a collection of vulnerabilities used to implement the Fast Pair protocol in the devices.

Contrary to Google’s specification that Fast Pair-compatible devices should not be able to pair with a device while already paired, the researchers found that WhisperPair could let anyone silently pair with the target device even if it is already paired.

The attacker would only need to be in Bluetooth range of the device and obtain the Model ID of the device in order to successfully hijack the targeted device. As part of the research demonstration of WhisperPair, the team tried to pair a low-cost Raspberry Pi 4 minicomputer with 25 already-paired Fast Pair-compatible devices from 16 different electronics brands.

These experiments were carried out with the researchers standing 14 metres away from the target device. They found that a majority of the tested devices could be hijacked through these hacking techniques within 10-15 seconds.