Emir BardakçıOne feature I’ve always appreciated is the convenience offered by “Google Fast Pair.” It’s a “magical” experience to simply flip open a case and see my “Xiaomi Pad 8” or “Xiaomi 17” immediately pair with my earbuds. However, a giant security bombshell has just been dropped with monumental implications related to this convenient feature. What’s being made known here is the newly discovered vulnerability known as WhisperPair that can be exploited by an attacker to silently hijack your wireless headphones in less than 15 seconds, which then enables the attacker to listen in on your private conversations or track your physical location in real-time.
Summary: Pair Crisis
- The Threat: Attackers can bypass the pairing security of devices based on the Google Fast Pair logic.
- Affected Brands: Big brands such as Sony, Xiaomi, JBL, and Logitech are also included.
- The Risk: Silent audio hijacking, microphone use for spying, and location tracking through Google Find Hub.
- The Fix: It is imperative that you manually update the firmware using the app provided by your device’s manufacturer.
How Does the WhisperPair Hijack Actually Work?
“The heart of the problem is in the way some of these manufacturers have chosen to implement the Fast Pair protocol. A device should not be able to form new connections unless you have manually switched it into ‘Pairing Mode.’ But the team discovered that many flagship devices do not honor this.” With just a cheap copy of the “Raspberry Pi,” an attacker from 14 meters away can emulate the “Seeker” device. In a matter of seconds, the attacker will be able to compel a connection to your “Xiaomi Band 9” or earbuds when you are actively using them. They will then be able to play audio content. However, the critical point is that the attacker will be able to turn on the microphone.
Is Your Location Being Tracked?
However, one of the worst parts of this vulnerability is the “Covert Account Binding.” If your headphones have yet to be connected to a Google account—which is a very likely scenario if you are a iPhone user and own a Sony or JBL device—the hacker can “claim” the device. They can track your location by connecting your headphones to their own account and use Google’s Find Hub (also known as Find My Device) to track your location. There have been cases reported on Reddit where people have received notifications for “Unknown Tracker,” thinking it to be a glitch in the system, when in fact, it allowed a stalker to track their location.
Which Devices are at Risk?
The 17 devices that have been tested include some of the most popular models available. Although Google has already issued a fix for their Pixel Buds, other manufacturers such as Xiaomi and JBL are issuing OTA fixes.
What’s Next: How to Protect Yourself?
You cannot just turn off Fast Pair support on most accessories. This is deeply integrated into the firmware. Your only option is a firmware update. Open up your app, whether it’s Sony Headphones Connect, JBL Headphones, or Xiaomi Earbuds, to check if there’s a firmware update.
