Flaws in how 17 models of headphones and speakers use Google’s one-tap Fast Pair Bluetooth protocol have left devices open to eavesdroppers and stalkers.

Flaws in how 17 models of headphones and speakers use Google’s one-tap Fast Pair Bluetooth protocol have left devices open to eavesdroppers and stalkers.

Link to see devices impacted: https://whisperpair.eu/

  • zarenki@lemmy.mlEnglish
    3·
    9 hours ago

    I think it’s far more common for devices to get pairing wrong than to get it right.

    Just a few of the very common issues I’ve seen in various devices:

    • TVs that are constantly in discoverable mode, even when the screen is off. Just in case the owner loses their remote and wants to pair a new one without reaching behind the TV to press a button. No way of avoiding this except disabling Bluetooth entirely, which makes the stock remote lose either partial or all functionality. Pairing requests also interrupt whatever you’re watching.
    • Audio devices that have a very short delay after turning on and waiting for any already-paired devices to connect before switching over to a pairing mode instead. So short that a smartphone in a low-power state (e.g. because you haven’t unlocked it for a few minutes) might not connect in time. Most if not all of the bluetooth-to-3.5mm receivers intended for older cars seem to share this problem.
    • Pairing codes are extremely underused in general, even among input devices. Most things seem to just pair with whoever sends a request first unconditionally.
    • ragebutt@lemmy.dbzer0.comEnglish
      1·
      8 hours ago

      On this note: if you root your webos tv there’s an app to truly disable Bluetooth, assuming you don’t use it. Imagine my surprise when one day my tv turned on with a request to allow my neighbors phone to connect to it? Modern convenience. I’m sure my neighbor just fat fingered the device list while trying to connect something else but the fact that it was even an option is absurd

      • zarenki@lemmy.mlEnglish
        1·
        2 hours ago

        My experience is mostly with Sony TVs, which run near-stock Android TV and do have a settings toggle to disable Bluetooth without needing root. Some models need BT for voice search (if mic is in the remote), and to many people losing that might be a good thing, but others seem to need it for basic menu navigation from the stock remote because odd features like trackpad don’t blast through IR. Considering how often I see unfamiliar TVs listed when I look at my phone’s Bluetooth pairing menu, I knew plenty of other TV vendors use constant discoverable mode.

        Having strangers within wireless range (especially for 2.4 GHz, but 5 GHz can be bad too) be able to intentionally and/or repeatedly interrupt what you’re doing with a pairing request at any time absolutely should be seen as a severe security flaw in my eyes. Even if they can’t successfully pair, the request prompt is akin to denial-of-service. Being such a blatant flaw that people often do it by mistake is even worse.