Bluetooth headphones and earbuds used by millions may still be vulnerable to hacking, researchers have warned. The alert comes despite Google’s claims that it has addressed security flaws linked to its Fast Pair technology.
Researchers at KU Leuven University in Belgium say Bluetooth audio products using Google’s Fast Pair feature remain at risk due to unresolved vulnerabilities. Fast Pair, introduced in 2017, is designed to make connecting Bluetooth devices quicker and easier across Android and Chrome OS.
The researchers collectively refer to the vulnerabilities as “WhisperPair.”
Devices could be hacked from distance
According to the research team, audio products from companies including Sony, Harman, and Google itself could be targeted. In lab tests, the researchers found that devices could be hijacked from as far as 46 feet away.
They warned that attackers could potentially take control of audio devices or exploit them for location tracking.
Google says it has already addressed the vulnerabilities highlighted by the researchers. A Google spokesperson told CNET that the company has updated software on some of its own devices, including the Pixel Buds Pro.
Google added that some of the issues were caused by other manufacturers not fully following Fast Pair specifications, and said it informed affected companies in September.
Statement on tracking and exploitation
In a statement shared with CNET, Google said it worked closely with the researchers through its Vulnerability Rewards Program and found no evidence of exploitation outside laboratory testing.
The company also said it had rolled out a fix to prevent Find Hub network provisioning in this scenario, which it claims fully addresses the potential location tracking issue across all devices.
Security updates
Google confirmed it has issued two security updates this month, one for Wear OS and another for Google Pixel devices, both detailing recent security patches.
However, Google does not currently list detailed information about the WhisperPair vulnerabilities on its Fast Pair Known Issues page.
The WhisperPair research group said it is preparing an academic paper outlining its findings. The team also released a YouTube video explaining the security concerns tied to Fast Pair.
While the researchers received a $15,000 bounty and agreed to a 150-day disclosure window, they warned that many users may be unaware of firmware updates needed to protect their devices.
The group has published a webpage allowing users to check whether their audio products are vulnerable and learn how to update them.
