Summary created by Smart Answers AI
In summary:
- Macworld reports on WhisperPair, a serious vulnerability in Google Fast Pair that affects Bluetooth devices from brands like Sony, putting both Android and iPhone users at risk.
- Hackers can exploit this flaw to play unauthorized audio, record through device microphones, or track users, while Apple’s AirPods and AirTags remain secure.
- Users should check for firmware updates from manufacturers to fix vulnerable devices, though updates may not always be available for affected products.
Updated: Google contacted us to let us know Pixel Buds were patched to fix this vulnerability a while ago, and that results represented in the WhisperPair vulnerable devices list represents testing done months ago.
If you use a Bluetooth device that supports Google Fast Pair, there’s a decent chance that it can be taken over by a hacker, who could then play audio, record through the device’s microphone, or even track you if the device supports Google Find Hub as well. And you’re not safe just because you use an iPhone or Mac—the vulnerability is in the device itself, and the hacker implements it from their own device within Bluetooth range.
The vulnerability, called WhisperPair, exploits a flaw in the way many bluetooth devices implement Google Fast Pair technology. Here’s how it works:
When a host device (like your phone or laptop) tries to pair with an accessory using Google Fast Pair (such as a pair of headphones), it tries to communicate with the accessory it wants to pair. If the device is not in pairing mode, Fast Pair is supposed to ignore any further action or requests. But according to researchers at the COSIC group of KU Leuven, some devices don’t implement this protocol properly, allowing the host to pair with the accessory anyway.
If you use Apple accessories like AirPods or AirTags, you’re in the clear. These don’t support Google Fast Pair. But if you use popular Bluetooth accessories from other brands, such as Google Pixel Buds (patched—see note above) or Sony WH-1000 headphones, they have been tested to be vulnerable. And because this vulnerability exists in the accessories themselves, it doesn’t matter whether you use an iPhone or Android, Mac or PC.
You can search a list of known vulnerable and known safe products on the WhisperPair site. Of note, the only Beats product that has been tested is the Solo Buds, and it’s been cleared from vulnerability. Several other models are listed on the site but haven’t been properly tested.
If you have a vulnerable device, a fix will have to come in the form of a firmware update for that device. You’ll have to check in the future if the manufacturer of your bluetooth accessory has issued a firmware update and apply it. This could take some time, and for many accessories it may never arrive.
