Millions of Earbuds and Headphones Have a Serious Android Security Vulnerability

If you're an Android owner who uses wireless headphones or earbuds, remove them for a second and listen up: As first reported by WIRED, millions of audio devices from reputable brands like Sony, JBL, Anker, Sonos, and even Google itself are now facing a major security vulnerability that could allow hackers to eavesdrop on your conversations or track your location. There are ways to plug the hole, but you'll need to jump through a few hoops to do it.

How the "WhisperPair" attack works

The vulnerability was first discovered by Belgium's KU Leuven University Computer Security and Industrial Cryptography Group, and is being dubbed "WhisperPair." It takes advantage of Android's Fast Pair feature, which allows for convenient, one-tap connections to nearby Bluetooth devices, similar to what might pop up on your iPhone screen if you open an AirPods case near it. Unfortunately, according to the researchers, they've discovered that it's possible for a malicious actor to essentially hijack the pairing process, giving them a hidden window into your audio device while still letting it connect to your phone or tablet, leaving you none the wiser.

"You’re walking down the street with your headphones on, you're listening to some music. In less than 15 seconds, we can hijack your device," KU Leuven researcher Sayon Duttagupta told WIRED.

OK, so a hacker can listen in on your headphones. Big whoop. But yes, actually. Big whoop indeed.

How this puts you at risk

Once a hacker pairs with your audio device, they can use it to eavesdrop on your microphones, listen in on any private conversations that might be coming through your speakers, play their own audio at whatever volume they want, and, if your device has Google Find Hub support, possibly even track your location.

That last vulnerability is the most concerning to me, although it's also the hardest for hackers to pull off. Right now, it's only been documented in the Google Pixel Buds Pro 2 and five Sony products, and requires you to have not previously connected them to an Android device or paired them with a Google account.

Still, even without location tracking, it's certainly not ideal for a hacker to essentially have access to a microphone in your house at all times.

How to protect yourself

The researchers reached out to Google, which has come up with a series of recommended fixes—but here's where the problems come in: These fixes need to be implemented by the accessory makers on an individual basis, and you'll likely need to install them manually.

What that will look like differs based on what device you have. JBL, for instance, told WIRED that it has started pushing out over-the-air updates to plug the vulnerability, while Logitech said it has "integrated a firmware patch for upcoming production units." Lifehacker is reaching out to other companies with affected products, and I will update this post when we hear back.

To ensure you get your device's fixes when they roll out to you, the researcher who discovered WhisperPair suggests downloading its corresponding app—something most audio devices offer these days. “If you don't have the [Sony app], then you'll never know that there's a software update for your Sony headphones,” KU Leuven researcher Seppe Wyns told WIRED.

On the plus side, if you happen to own an affected Google audio device, you should be in the clear—the company says it has already sent out fixes for them. Unfortunately, Google isn't magic. The company also said it tried to update Find Hub to block the location tracking vulnerability for all devices, whether their manufacturer has updated them or not. Unfortunately, the KU Leuven researchers said they were able to bypass that one-size-fits-all fix within a few hours.

Unfortunately, Fast Pair can't be disabled, so until your device's manufacturer rolls out its own update, it will be vulnerable. There is a panic button you can hit if you notice unusual behavior in the meantime, as the researchers say that factory resetting your audio device will clear it of any hackers who have already paired to it. Unfortunately, that still leaves it vulnerable for new hackers going forward.

The risk is real but mostly theoretical for now

On the bright side, while the concerns here are quite real, Google says you don't need to worry too much yet. The company told WIRED it has, "not seen any evidence of any exploitation outside of this report's lab setting." That means the researchers in question might be the first people to discover WhisperPair, although the researchers themselves are being a bit more cautious, as they question Google's ability to observe audio hijacking for devices from other companies.

On that note, if you're a smug iPhone user reading this, you shouldn't feel too comfortable: WhisperPair could affect you too. While the vulnerability can't originate on an Apple device, if you happen to connect a device that has already been hacked on an Android to your iPhone or iPad, then you're in the same boat.

How to know if you're at risk

I wish I could offer a simple solution that would instantly beef up the security on all of your devices, but unfortunately, staying safe from WhisperPair will take some vigilance on your part—in particular, looking out for an update from your device's manufacturer. To check whether the WhisperPair vulnerability affects you, visit the researchers' website and search for your device. It'll tell you the manufacturer, whether it's vulnerable, and what steps you can take to plug the vulnerability. Note that the short list that first pops up under the search bar doesn't include every vulnerable device, so don't assume you're safe just because you don't see yours there—search for it first.

View the full article