Flaw in Google Fast Pair devices allows hackers to eavesdrop

Security researchers have uncovered a vulnerability called WhisperPair in 17 audio devices using Google's Fast Pair protocol, enabling hackers to access microphones and track locations within Bluetooth range. The flaw affects products from 10 manufacturers, including Sony and Google, and stems from improper implementation of the pairing standard. Google has collaborated with researchers to address the issue, though full fixes depend on hardware partners.

A team of researchers from Belgium's KU Leuven University revealed the WhisperPair vulnerability on January 15, 2026, affecting 17 headphone and speaker models certified for Google's Fast Pair protocol. This one-tap pairing feature, designed to simplify Bluetooth connections, has been improperly implemented by some hardware partners, allowing unauthorized pairings even outside pairing mode.

The attack requires a hacker to be within Bluetooth range—up to 14 meters—and know the device's model number, which is easily obtainable. It takes a median of 10 seconds, or less than 15 in some cases, to hijack the device. As KU Leuven researcher Sayon Duttagupta explained to Wired, "You're walking down the street with your headphones on, you're listening to some music. In less than 15 seconds, we can hijack your device. Which means that I can turn on the microphone and listen to your ambient sound. I can inject audio. I can track your location."

Once connected, attackers can interrupt audio streams, play their own sounds, eavesdrop via the microphone, or use Google's Find Hub to track the device's location. The vulnerability applies even to non-Android users if the device hasn't been linked to a Google account, potentially allowing hackers to bind it to their own account.

Researchers notified Google in August 2025, prompting collaboration through the company's Vulnerability Rewards Program. Google provided fixes to partners in September 2025 and updated its Find Hub network, but the team quickly found a workaround. A Google spokesperson stated, "We appreciate collaborating with security researchers... We worked with these researchers to fix these vulnerabilities, and we have not seen evidence of any exploitation outside of this report's lab setting. As a best security practice, we recommend users check their headphones for the latest firmware updates."

Affected manufacturers include Sony, Jabra, JBL, Marshall, Xiaomi, Nothing, OnePlus, Soundcore, Logitech, and Google. Google's Pixel Buds have received patches, while OnePlus is investigating. The flaw cannot be disabled, and many users may remain vulnerable without installing manufacturer apps for updates. Researchers advise regular firmware checks and factory resets if compromise is suspected, noting no known real-world exploits to date.

관련 기사

Illustration of a person checking their phone for a spoofed call warning on Android, highlighting Google's new deepfake detection feature.
AI에 의해 생성된 이미지

Google adds detection for spoofed calls to Android phones

AI에 의해 보고됨 AI에 의해 생성된 이미지

Google is rolling out a new feature to Android devices that detects impersonation scams involving spoofed calls. The update targets the rising threat of AI-generated deepfake voices in financial fraud. It begins deploying this month on phones running Android 12 and higher.

A researcher has shown that the Sound Blaster Katana V2X speaker from Creative Technologies can be used to infect a connected computer with malicious commands over Bluetooth. The attack requires no pairing and works even without physical access to the device.

AI에 의해 보고됨

A vulnerability in Google Gemini on Android allowed crafted notifications from apps like WhatsApp and Slack to manipulate the AI's responses and connected tools. The issue, discovered by SafeBreach, has been addressed through server-side changes.

이 웹사이트는 쿠키를 사용합니다

사이트를 개선하기 위해 분석을 위한 쿠키를 사용합니다. 자세한 내용은 개인정보 보호 정책을 읽으세요.
거부