**Update Your Headphones Now: Critical Vulnerability in Google Fast Pair Technology Exposes Users to Location Tracking**
Imagine being able to track someone's location by hacking into their headphones or speakers. Sounds like science fiction, right? Unfortunately, a team of researchers has discovered just such a flaw in Google's Fast Pair technology, which allows attackers to compromise the security of millions of Bluetooth devices from top brands.
The vulnerability, dubbed WhisperPair, was discovered by researchers at Belgium's KU Leuven University and affects headphones and speakers from leading manufacturers such as Sony, Google, OnePlus, Nothing, Xiaomi, Marshall, Anker, Jabra, Harman, and more. The flaw lies in how some brands have implemented the Fast Pair protocol, which is used to facilitate easy pairing between devices.
According to the researchers, when a phone or laptop sends a message to the headphones to start pairing, vulnerable devices fail to reject the request if they are not in pairing mode. This allows unauthorized parties to complete the pairing process without the user's consent, giving them full control of the device. With just 10 seconds within 14 meters of the Bluetooth device, a hacker can carry out this WhisperPair attack.
Once inside, the attacker has access to all functions of the headphones or speakers, including turning up the volume, changing tracks, and even recording conversations. What's more alarming is that if the earbuds support Google's Find Hub network, they can also track the user's location in real-time. The researchers shared their findings with Google in August, received a $15,000 bounty, and published their study after a 150-day non-disclosure window.
Google has confirmed that the flaw was due to improper implementation by some manufacturers and has recommended fixes to them since September. "We worked with these researchers to fix these vulnerabilities, and we have not seen evidence of any exploitation outside of this report's lab setting," a company spokesperson tells Engadget.
So what can you do to protect yourself? Both Google and the researchers recommend installing the latest firmware update for your audio devices as soon as possible. "The only way to prevent WhisperPair attacks is by performing a software update," the researchers say.
**At-Risk Devices: Update Your Headphones Now!**
The following list of earbuds and headphones are labeled as "vulnerable" by the team and should be updated immediately:
- Sony, Google, OnePlus, Nothing, Xiaomi, Marshall, Anker, Jabra, Harman
Additionally, several more devices are not vulnerable to WhisperPair but still recommend keeping them up to date. These include the Sonos Ace, Audio-Technica ATH-M20xBT, JBL Flip 6, Jabra Speak2 55 UC, Bose QC Ultra Headphones, Poly VFree 60 Series, Beosound A1 2nd Gen, and Beats Solo Buds.
Remember to check your device's instruction manual for guidance on updating firmware. It's essential to stay informed and take action to protect yourself from these kinds of vulnerabilities. Stay safe out there!