Key takeaways
Vulnerability in Fast Pair: Google’s Fast Pair feature for Android and ChromeOS devices has a flaw called WhisperPair, letting hackers access microphones, play audio, or track your location.
Affected Devices: Includes major brands like Google, Jabra, JBL, Logitech, Marshall, Nothing, OnePlus, Sony, Soundcore, and Xiaomi. Millions of devices could be at risk
Immediate Action: Users should update their devices via manufacturer apps to patch the vulnerability; there’s no way to disable Fast Pair directly on Android
Google’s Fast Pair feature is meant to let you connect your headphones and speakers to your Android or ChromeOS device with just one tap. Yet now it seems that the price of that convenience is a security vulnerability that could leave millions of devices open to hackers and eavesdroppers.
That startling discovery was made by security researchers at Belgium’s KU Leuven University Computer Security and Industrial Cryptography group (via Wired), who are dubbing the collection of vulnerabilities WhisperPair.
Worse, this can even be done if the victim’s device runs iOS and the target has never used a Google product before. If your device has never been connected to a Google account – which might be the case if you’re an iPhone user – a hacker could not only snoop on it but also pair it to their own Google account.
That’s because Google’s system identifies the first Android device that connects to target speakers or headphones as the owner, a weakness that would let a hacker track your location in their own Find Hub app.