Bluetooth Exploit Leaves Hundreds of Millions of Accessories Vulnerable to Full Takeover

Researchers have discovered a vulnerability in Google Fast Pair, dubbed WhisperPair, that leaves affected accessories open to being fully controlled by an attacker.

The exploit leverages a flaw in the Fast Pair implementation of many popular devices that allows and attacker to pair the accessory with their own device. The attacker then gains complete control over the device and can “play audio at high volumes or record conversations using the microphone.”

It can also allow tracking victims around via Google’s Find Hub Network, a feature meant to help you find lost or stolen items.

The main crux of the vulnerability is accessories skipping a critical step in the pairing process. When pairing with a Bluetooth device, first your phone or computer must send a message indicating that it wants to pair with the accessory.

The Fast Pair specification states that if the accessory is not in pairing mode, it should disregard such messages. However, many devices fail to enforce this check in practice, allowing unauthorised devices to start the pairing process. After receiving a reply from the vulnerable device, an attacker can finish the Fast Pair procedure by establishing a regular Bluetooth pairing.

Since the attack is targeting the device itself instead of the phone or computer it’s connecting to, iOS and other non-Android users with accessories that support Google Fast Pair are still vulnerable. You can check here if your device is vulnerable. Make sure to update the firmware on your Bluetooth devices ASAP. The researchers indicate that some devices have been patched, but not all manufacturers have released a fix for the flaw yet.

If an accessory hasn’t been paired to an Android device before, an attacker can add it to their Google account and track it through the Find Hub Network, essentially turning your headphones into a tracker. You will likely get a notification about headphones not belonging to you that are following you around, but many people will likely dismiss it as a glitch since they’re not aware that their headphones have been exploited.

The researchers make a cogent point about how small, nonstandard usability and convenience features can lead to massive security vulnerabilities. Apple has had its own fair share of issues with their own proprietary protocols like AirDrop.

These vulnerable devices passed both the manufacturers' quality assurance tests and Google's certification process, demonstrating a systemic failure rather than an individual developer error.

Issues like this being allowed to slip through show a massive flaw in Google’s system for releasing secure products. It’s unclear what changes are going to be implemented on Google and the OEM’s end in order to prevent this type of issue from happening again in the future.

Compounding with the issue is the issue of installing firmware updates for Bluetooth accessories. Unless it’s a first-party accessory like Pixel Buds on a Google Pixel, you won’t be able to update your firmware without installing a third-party app from the OEM. This means that most users don’t update their accessories in the end, and the ones that do risk leaking personal data to the OEM through required accounts on a proprietary app, not to mention the extra attack surface from OEM apps installed on your phone.

It’s unclear what the future holds for Bluetooth as a protocol. It’s never just one issue, multiple issues and failures have culminated in a flaw like WhisperPair. There needs to be more standardization and less proprietary protocols for pairing and interacting with Bluetooth accessories. More eyes looking at it allow for more flaws to be discovered.

There also needs to be better systems for detecting these flaws, and more accountability for missing these types of issues.

There should be an easier and more standardized way to update firmware for Bluetooth devices. Most people are left vulnerable to exploits that have long been patched because they pair their Bluetooth accessories through the settings and they don’t know that they need the proprietary OEM app in order to update their firmware and fix bugs in their Bluetooth headphones.

With the prevalence of Bluetooth tracking beacons and severe vulnerabilities frequently found, there needs to be more strict rules about enforcing security on Bluetooth devices. Many of the security and privacy features in Bluetooth are also optional, such as BLE Privacy that randomized your hardware MAC address to prevent tracking via the aforementioned tracking beacons. It’s also unclear how many manufacturers release timely firmware updates or for how long they support devices, typically that information isn’t available from the OEM.

It’s always an option to simply use wired accessories instead of Bluetooth if you’re really worried about future Bluetooth vulnerabilities.