**Sony, Anker, and Other Headphones Exposed: A Serious Google Fast Pair Security Vulnerability**

Researchers from KU Leuven University's Computer Security and Industrial Cryptography group in Belgium have uncovered a critical flaw in Google's Fast Pair protocol that affects numerous Bluetooth audio devices. The vulnerability, which has been dubbed WhisperPair, can allow attackers to listen in on conversations or track the location of affected devices.

The researchers discovered several weaknesses in the Fast Pair protocol, which is designed to streamline Bluetooth pairing and connect wireless audio accessories to Android or Chrome OS devices with a simple tap. However, their findings revealed that many devices don't implement Fast Pair correctly, including a Google specification that prohibits devices from connecting to a new device while already paired to another.

The researchers conducted extensive testing on over two dozen Bluetooth devices and successfully hacked 17 of them using the WhisperPair attacks. They were able to play audio through the compromised headphones and speakers at any volume, intercept phone calls, and even eavesdrop on conversations using the devices' microphones.

A more serious issue was found to affect five Sony products and Google's Pixel Buds Pro 2. If the devices weren't previously connected to an Android device and linked to a Google account (which isn't required when using them with iPhones), WhisperPair could be used to pair and link them to a hacker's Google account that would be recognized as the device's owner.

This would enable a hacker to use Google's Find Hub network to track the user's location and movements through their headphones, assuming smartphone notifications warning that a device was tracking them were dismissed as errors. A list of affected devices from 10 different companies can be found here, which includes the Sony WH-1000XM6, WH-1000XM5, and WH-1000XM4 headphones, as well as the Nothing Ear (a), OnePlus Nord Buds 3 Pro, and Anker Soundcore Liberty 4 NC earbuds.

The researchers reported their findings to Google in August 2022, and the company responded by recommending fixes to its "accessory OEM partners" in September. Google also updated its certification requirements to mitigate similar issues going forward.

"We worked with these researchers to fix these vulnerabilities, and we have not seen evidence of any exploitation outside of this report's lab setting," said Ed Fernandez, a Google spokesperson, in a written statement to The Verge. However, the researchers told Wired that it only took them a few hours to bypass the patch and continue their tracking.

To protect against WhisperPair attacks, users must install firmware updates released by manufacturers that resolve the vulnerabilities. Unfortunately, the Fast Pair feature cannot be disabled, leaving users with no choice but to wait for software updates from their device manufacturers.

As of now, several manufacturers have responded to The Verge's inquiries about the security vulnerability. OnePlus North America confirmed in a written statement that it "takes all security reports seriously" and is "currently investigating this matter and will take appropriate action to protect our users' security and privacy." We will update this story as other companies respond.

**Affected Devices:**

* Sony WH-1000XM6 * Sony WH-1000XM5 * Sony WH-1000XM4 * Nothing Ear (a) * OnePlus Nord Buds 3 Pro * Anker Soundcore Liberty 4 NC earbuds

**Update:** This article will be updated as more companies respond to The Verge's inquiries about the security vulnerability.