Flaws in how 17 models of headphones and speakers use Google’s one-tap Fast Pair Bluetooth protocol have left devices open to eavesdroppers and stalkers.
Link to see devices impacted: https://whisperpair.eu/
Did anyone else get a “page not found” error when trying to see the list of affected headphones?
Edit: spelling.
Affected*
Damn it. I knew that too. Thanks for pointing it out.
The website works on my end
I clicked on your link. Same thing. I’m using duck such go. Wonder if that’s why.
GOOGLE DESIGNED THE wireless protocol known as Fast Pair to optimize for ultra-convenient connections: It lets users connect their Bluetooth gadgets with Android and ChromeOS devices in a single tap.
Bluetooth pairing is not a difficult process, imagine creating a whole new attack vector for that. And of course security was an afterthought. Capitalism is amazing for wasting resources and getting bad results for it.
I think it’s far more common for devices to get pairing wrong than to get it right.
Just a few of the very common issues I’ve seen in various devices:
- TVs that are constantly in discoverable mode, even when the screen is off. Just in case the owner loses their remote and wants to pair a new one without reaching behind the TV to press a button. No way of avoiding this except disabling Bluetooth entirely, which makes the stock remote lose either partial or all functionality. Pairing requests also interrupt whatever you’re watching.
- Audio devices that have a very short delay after turning on and waiting for any already-paired devices to connect before switching over to a pairing mode instead. So short that a smartphone in a low-power state (e.g. because you haven’t unlocked it for a few minutes) might not connect in time. Most if not all of the bluetooth-to-3.5mm receivers intended for older cars seem to share this problem.
- Pairing codes are extremely underused in general, even among input devices. Most things seem to just pair with whoever sends a request first unconditionally.
On this note: if you root your webos tv there’s an app to truly disable Bluetooth, assuming you don’t use it. Imagine my surprise when one day my tv turned on with a request to allow my neighbors phone to connect to it? Modern convenience. I’m sure my neighbor just fat fingered the device list while trying to connect something else but the fact that it was even an option is absurd
My experience is mostly with Sony TVs, which run near-stock Android TV and do have a settings toggle to disable Bluetooth without needing root. Some models need BT for voice search (if mic is in the remote), and to many people losing that might be a good thing, but others seem to need it for basic menu navigation from the stock remote because odd features like trackpad don’t blast through IR. Considering how often I see unfamiliar TVs listed when I look at my phone’s Bluetooth pairing menu, I knew plenty of other TV vendors use constant discoverable mode.
Having strangers within wireless range (especially for 2.4 GHz, but 5 GHz can be bad too) be able to intentionally and/or repeatedly interrupt what you’re doing with a pairing request at any time absolutely should be seen as a severe security flaw in my eyes. Even if they can’t successfully pair, the request prompt is akin to denial-of-service. Being such a blatant flaw that people often do it by mistake is even worse.
Given its google I would really not be surprised if it were a feature, not a bug
I’d agree security needs more attention when developing protocols and products, and I’d also consider Bluetooth simple. That being said, I know plenty of folks that don’t like the Bluetooth pairing process, especially those without a technical background.
Fast Pair is really convenient, and I’d say it can open the door for a lot of new experiences, but I do wish the developers put more effort into their TARA.
Meh. So realistic attack would be that you know someone you want to track has one of those 17 models (which is hard to tell by just looking at the headphones) and never paired it with Android and he carries them everywhere. You force-pair and now you can track them. It’s pretty silly as a random attack because why would you track a random person. It’s silly to use it to record conversations because from 15 m there are easier methods to do it. I would say the risk that this will be used to actually track/record someone is low.
My wired headphones dont have this issue, likely sound far better, require no batteries, and are user serviceable.
Guys, we peaked in 2012 (potentially earlier) as a race technologically, stop trying to create new grifts for billionaires.
I want to agree, I used to hate wireless headphones, until I realised that wired don’t last long if I wear them anywhere outside my desk.
The cable keeps getting caught in door handles, accidentally stepped when I need to crouch and then snapped when I get up or the plug simply gives up from being constantly bent inside the pocket.
I’m a person who can use a soldering but that doesn’t make repair much easier, phones don’t usually like the 3.5mm jacks available in the market, opening and closing whatever plastic thing covers the contacts or the back of the drivers often break after a third time opening it.
The cables themselves start to breakdown and that time I ordered a whole replacement cable off eBay the phone lost all bass (probably high impedance).
Another issue is that modern phones output a very quiet signal that doesn’t get loud enough even when plugged the HD25.
In end wireless headphones solve this problem, I still use wired headphones on my desk. But for mobile use wireless it is.
I’m almost exactly in the same boat, except even at my desk I want wireless. I often turn my camera off and get up to make coffee or go pee in big meetings. It’s great. Even when I’m presenting things, it’s usually only at a specific time, and I can still talk when I’m away from my desk (flip-to-mute microphones are great.)
I have several sets of wired headphones I used to love. I’d buy several sets at once so I already had a replacement when they inevitably broke But I literally can’t remember the last time I used a pair of wired headphones. I only miss 3.5mm on my phone for plugging into my car’s aux port.
Wires are annoying as hell, and a proper desktop wireless headphone will have basically no loss in quality as they have a base station and are not using Bluetooth.
Same with the mouse, for things like gaming latency can be an issue, but a proper one isn’t using Bluetooth either so no issues on that end (or at least the difference is lower than my skill issue, which causes me to lose games)
The quiet issue is due to impedance. You need a better amplifier than your phones garbage dac. High ohm headphones require more juice.
I dont listen to headphones on the go really. Only in office. Usually it sounds awful and there’s too much noise around me to enjoy it, and I prefer to enjoy music on my actual listening setup at home amyway, headphones will always sound worse due to no depth. But im weird about sound. Music isnt background noise to me.
Noise cancelling headphones and background music helps a ton when I’m in the office. Stupid open office…
You can hardly find wired headphones now. When you do they are junk. I want a sturdy headphone where they did not save every penny making the wire near microscopic, cheap joints, etc.
Paying more does not mean it is quality either.
Beyer dt 770. Very tough.
My mains are those, grado rs2, and senn hd595. Some sony md7506 but I hate the sound on them.
By wired do you mean exclusively RCA or do you count usb as well? Both pair of my Sennheisers work via USB if you plug it in.
I have only had 3.5 mm jacks, which never work with my phones somehow but work for mp3 and computer. Mp3 has both 3.5mm jack and micro or c usb for charging, transferring.
The Sony XM3 and other headphones in the series are a great option since you don’t have to choose, they have a headphone jack so you can go wired if you want.
Same thing with Shure Aonic 50s.
Recording musicians use them for monitoring. Bluetooth has too much latency when you are trying to keep your groove in the pocket.
I’m finding lots of great 10-15 yo used recording gear/tech that was originally $200+, going for cheap, like less than $50, because it doesn’t have Bluetooth, which you don’t want with recording gear anyway.
You can hardly find wired headphones now. When you do they are junk. I want a sturdy headphone
Shop where the musicians shop.
Go to where the audiophiles are. There are plenty of headphones and IEMs (earbuds) under $50 (and even $25) that sound fantastic and sound better than $200 dollar options out there. My favs that I actually tried are the MOONDROP Chu 2 $23, Koss KSC75 $20, and the Sennheiser HD 600 (which I got on eBay for like $250). Check out the audiophile subreddit, there are plenty of people who have made ranking lists.
Yeah if youre buying headphones on Amazon or Walmart, you’ll get shit.
I refuse to shop at either of those places for anything really. Wish others would be brave enough to do so as well and stop giving billionaires money for no reason.
What’s your budget? over ears or earbuds? if over ears open back or sealed?
Idk, 20, 40, more if needed if it will hold up to use at work. I usually get the sports ones that have the ear loop so you don’t have to constantly put earbuds back in the ear.
Ah yes its hard to build quality headphones for that little.
in that price range I’d buy some chifi IEMs like the zero:2 or chu II
How much for quality headphones then? Especially like earbuds with the sports clip that loops on the ear so they don’t fall out, to be able to use for work and running and such? If it lasts I will pay more. The more expensive stuff I’ve bought has broken as soon as the cheaper stuff.
It’ll be around $15-30 for some decent sounding KZ or CCA IEMs depending on the sound you want. Big fan of CCA CRA+ personally, but I use 7hz Zero 2s now and they’re a bit more ($40?)
Just see mondrop chu c2 for 20$ destroying 150$ Bluetooth earphones.
“But that wire…”
- some techno gusher probably.
We all laughed at the time, but The Matrix was right - civilization peaked in 1999.
Talking about computers, definitely yes, functionally. The socially important problems got solutions, imperfect, but replaceable ones.
We had publishing to all the world via Usenet and Web, file exchange with all the world via plenty of FTP servers, way to find those files and published pages via search engines (those real ones, which just indexed file attributes and page contents), our social identities were ICQ numbers and email addresses, our way to repost stuff was sending a link, our way to rate and discover good things was web directories made by people.
For evaluating something on the Web a vote is simply not a universal unit. Every vote is a different person. So upvotes and downvotes lead to numbers being important for ratings on something, which means that the least useful things get the biggest ratings. Because everything useful is offensive to someone.
The only downside that environment had was insufficient easiness of making a webpage, hosting a website, hosting something else.
If I were imagining a solution, it would look like an all-in-one suite like Hotline, but based on how the Web was then, including an intuitive editor (something more like QuarkXPress) for pages and with hosting and mirroring being transparent. A p2p system with cryptographic identities, but manual choice of hosting something. With a p2p contact directory, but many trees of trust inside that directory, where one tree of trust is like one email provider or one xmpp server for identities, that you subscribe to. With “domains” (sort of) being done similarly to that contact directory. With good old Kademlia for finding contacts, domains, groups and separate pages, posts or files. And other than good old Kademlia, possibly some kind of interchangeable client-server things, like storage areas and trackers and relays, to help with offline messaging and NAT’s.
OK, my thought floated away, intuitive management of anything creative in that system is honestly the main flaw of how it was in year 1999. I even wonder if that “agentic AI” they are talking about has a place in such an application suite.
Those protocols and services still exist among improved means that are also decentralized. One only has to seek them out.
Not really. That’s like saying that a bunch of non-standardized tracks all over some country is a railway system.
I love not having to worry about charging my headphones. I had wireless for years but I went back to wired.
I don’t find this being an issue when I have to charge it maybe once a month. Not talking about IEMs of course.
My issue was needing them when they didn’t have a charge or had low charge, and not being able to charge them while using them.
Sennheiser hd630 is amazing. I use my technics az80 at work to block noise and appreciate having no wires getting caught up on mechanical stuff.
Placing a bet now: under 10% of vulnerable units will be patched within a year’s time.
I like your optimism.
I mean 0.1% is still technically under 10%
Ah. I should really figure out how to read. Whoops.
I’ll add to that- within a year’s time, less than 50% of the affected devices will even have a patch available.
I am certain that my AliExpress headphones will get updates in the next few weeks!
the rest of the 90% of the devices are probably broken since they are so cheaply made and designed to snap or have garbage batteries that can’t hold a charge for more then 20 minutes .
deleted by creator
Laughs in the archaic technology of the 3.5mm audio jack
All the more reason to use my IEMs… At least when I’m not flying.
Why can’t you use them flying?
They don’t have active noise cancelling.
If you get molded iem they work better than active noise cancelling and the music sounds better (better bass from the mold and no distortion from the noise cancelling algorithm)
get a brain like mine that automagically tunes out background noise or just shuts down hearing entirely when overstimulated :3
get a brain like mine
Sure
💉🔪✂
Is that you, Abby Normal? 🧠
I think some iems aren’t designed with pressure variations in mind.
Pff, obviously you never heard of wiretapping…
Could they? Definitely, but there’s a really uneven balance between effort and reward. I do listen to some dank tunes though…
laughs in 3.5mm
Laughs in 6.3 mm
6.3 mm
and huge muscles from lugging that thing around
security researchers […] are revealing a collection of vulnerabilities they found in 17 audio accessories that use Google’s Fast Pair protocol and are sold by 10 different companies: Sony, Jabra, JBL, Marshall, Xiaomi, Nothing, OnePlus, Soundcore, Logitech, and Google itself.
So like every brand besides Apple?
Bowers & Wilkins is safe
And Bose and Samsung and probably a couple more.
Phillips is another one not on that list. European company that AFAIK have mostly resisted the enshittification urge.
Haven’t Philips enshittified almost entirely outside of healthcare products? Everything else is licensing the brand.
my information might be out of date yeah! I’ve just skimmed their wikipedia which hasn’t helped clear things up! Seems they did have difficulties around 2011 - “After two decades in decline, Philips went through a major restructuring, shifting its focus from electronics to healthcare.”
Then, “On 29 January 2013, it was announced that Philips had agreed to sell its audio and video operations to the Japan-based Funai Electric for €150 million […] Funai was to pay a regular licensing fee to Philips for the use of the Philips brand.[59] The purchase agreement was terminated by Philips in October because of breach of contract[61] and the consumer electronics operations remained under Philips”
It’s a long wiki article with a hell of a lot of transfers and acquisitions, and it’s not clear how up to date some sections are. So I’m not sure what the current situation is.
A Dutch guy mentioned it to me a few years back how far the brand has fallen, reminds me a bit of GE in the US. It’s kinda sad. The really crazy thing is a few of the investments they made and dumped have gone on to be key players in tech, like ASML.
that was an interesting talk and demo
But you need to be in close proximity (~15m max) to stalk a victim? You might as well just follow them around physically then. Perhaps when the victim is in a private location, eavesdrop on their conversation or locating their position within there, might be a possibility. But ear raping would, of course, constitute the most significant danger of all. Also WhisperPair, not WhisPair?
If you want to listen to their mic via bluetooth or whatever, yes. But there’s also this:
Some devices also support Google’s Find Hub network. This enables users to find their lost accessories using crowdsourced location reports from other Android devices. However, if an accessory has never been paired with an Android device, an attacker can add the accessory using their own Google account. This allows the attacker to track the user via the compromised accessory.
If the devices weren’t previously linked to a Google account … then a hacker could … also link it to their Google account.
This already severely limits the pool of potential victims; but still a more practical exploit indeed. It’s almost as if this BLE tracking is a feature, rather than an exploit. And if you want to be notified of a device following you around, one has to perpetually enable BLE on their smartphone. But of course, headphone jacks are a thing of the past, and wireless is clearly the future. :)
By all means call out if I’ve misunderstood, but the tracking vulnerability isn’t that BLE (by design) makes devices visible to everyone within range, it’s that by binding an unclaimed device to an account you gain the ability to look up that device via Google’s service, rather than needing to be nearby - you can simply ask Google to call on its global network to find “your” device. In other words, there’s nothing stopping me from setting an alert when a given BT device is nearby, that’s spot on, but I can’t fire up Google to look up that device when I’m not nearby, or look up its location history.
And yes needing to have never been connected to an Android device definitely reduces the victim pool, but (and to address the other reply) I’m guessing it’d mean devices that have only ever been connected to iOS, Linux, Windows etc aren’t “claimed” and can still be enrolled by the attacker. It’s not about default creds, only having used devices that don’t enrol with Google is enough, as it leaves the device available to claim.
3.5mm ftw and all that, but I doubt all the parents of teenagers with potentially vulnerable devices will have much luck convincing their kids to switch!
I understand you’ve read the comment as a single thing, mainly because it is. However, the BLE part is an additional piece of critique, which is not directly related to this specific exploit; neither is the tangent on the headphone jack “substitution”. It’s, indeed, this fast pairing feature, which is the subject of the discussed exploit; so you understood that correctly (or I misunderstood it too…).
I’m however of the opinion, BLE being a major attack vector, by design. These are IoT devices that, especially when “find my device” is enabled (which in many cases isn’t even optional: “turned off” iPhones for example), do announce themselves periodically to the surrounding mesh, allowing for the precise location of these devices; and therefore also the persons carrying them. If bad actors gain access, to for example Google’s Sensorvault (legally in the case of state-actors), or would find ways of building such databases themselves; then I’d argue you’re in serious waters. Is it a convenient feature, to help one relocate lost devices? Yes. But this nice-to-have, also comes with this serious downside, which I believe doesn’t even near justify the means. Rob Braxman has a decent video about the subject if you’re interested.
It’s not even a case of kids not wanting to switch, most devices don’t even come with 3.5mm jack connectors anymore…
Gotcha, and apologies for missing your point.
I agree 100%, the privacy and security tradeoffs are enormous and concerning.
No worries! :)
That’s literally any device. Goes all the way back to things like people setting up routers and not changing the default password so anyone else can get in. That’s just user error plain and simple.
Nothing from Samsung in the list, now I don’t feel so bad about owning a Galaxy :D
