Millions of Headphones and Headsets Have a Serious Security Vulnerability in the Android System.
If you own an Android device and use wireless headphones, take them off for a second and listen: As WIRED first reported , millions of audio devices from well-known brands like Sony, JBL, Anker, Sonos, and even Google itself have suffered from a serious security vulnerability that could allow hackers to eavesdrop on your conversations or track your location. There are ways to fix this vulnerability, but it will require a fair amount of effort.
How the WhisperPair attack works.
The vulnerability was first discovered by the Computer Security and Industrial Cryptography team at KU Leuven in Belgium and dubbed ” WhisperPair .” It exploits Android’s Quick Pair feature , which allows for convenient connection to nearby Bluetooth devices with a single tap, similar to what might appear on your iPhone’s screen if you open your AirPods case near it. Unfortunately, the researchers say they discovered that an attacker can actually hijack the pairing process, gaining a hidden window of access to your audio device, allowing it to connect to your phone or tablet without you being aware.
“You’re walking down the street with headphones on, listening to music. In less than 15 seconds, we can seize your device,” Saion Duttagupta, a researcher at the University of Leuven, told WIRED.
Okay, so a hacker can eavesdrop on your conversations through your headphones. So what? But yeah, really. So what?
How does this put you at risk?
Once connected to your audio device, a hacker can use it to listen to your microphones, eavesdrop on any private conversations that might be happening through your speakers, play their own audio at any volume they want, and, if your device supports Google Find Hub , possibly even track your location.
The last vulnerability worries me the most, although it’s the most difficult for hackers to exploit. Currently, it’s only documented in the Google Pixel Buds Pro 2 and five Sony products, and it requires you to not previously pair them with an Android device or link them to a Google account.
However, even without location tracking, it is not inherently ideal for a hacker to have constant access to the microphone in your home.
How to protect yourself
The researchers turned to Google, which offered a number of recommended solutions, but here’s where the problem arises: these solutions must be implemented individually by accessory manufacturers, and you’ll likely have to install them manually.
What this means will depend on your device. For example, JBL told WIRED that it has begun sending out wireless updates to address the vulnerability, and Logitech stated that it has “integrated a firmware patch for future production units.” Lifehacker is contacting other companies with affected products, and I will update this post as soon as we hear back.
To ensure you receive updates for your device when they become available, the researcher who discovered WhisperPair recommends downloading the corresponding app—something most audio devices come with today. “If you don’t have [the Sony app], you’ll never know if there’s a software update for your Sony headphones,” Leuven University researcher Seppe Wiens told WIRED.
On the other hand, if you have an affected Google audio device, you’ll likely be fine—the company claims to have already released patches for them. Unfortunately, Google isn’t a magician. The company also reported that it attempted to update Find Hub to block the location tracking vulnerability for all devices, regardless of whether the manufacturer had updated them. Unfortunately, researchers from the University of Leuven claimed to have managed to bypass this universal solution within a few hours.
Unfortunately, Fast Pair can’t be disabled, so your device will remain vulnerable until the manufacturer releases an update. If you notice unusual behavior, you can press the emergency button, as researchers say resetting the audio device to factory settings will clear it of any hacking attempts by hackers already connected. Unfortunately, this still leaves it vulnerable to further hackers in the future.
The risk is real, but for now it is mostly theoretical.
On the other hand, while the concerns are well-founded, Google says there’s no need to worry too much just yet. The company told WIRED that it “has found no evidence of exploitation outside the lab conditions described in this report.” This means the researchers in question may be the first to discover WhisperPair, though the researchers themselves are somewhat cautious, as they doubt Google’s ability to monitor audio interception on other companies’ devices.
So, if you’re a smug iPhone user reading this, don’t relax: WhisperPair could affect you too. While the vulnerability won’t affect an Apple device, if you connect a jailbroken Android device to your iPhone or iPad, you’ll find yourself in the same situation.
How to know if you are at risk
I wish I could offer a simple solution that would instantly improve the security of all your devices, but unfortunately, protecting yourself from WhisperPair will require vigilance—specifically, keeping up to date with updates from your device manufacturer. To check if you’re affected by the WhisperPair vulnerability, visit the researchers’ website and search for your device. It will list the manufacturer, information about whether it’s vulnerable, and steps you can take to mitigate the vulnerability. Please note that the short list that appears first below the search bar doesn’t include all vulnerable devices, so don’t assume you’re safe just because your device isn’t listed—search for it first.