PCMag editors select and review products independently. If you buy through affiliate links, we may earn commissions, which help support our testing.

PCMag UK

Update Your Headphones Now: Google Fast Pair Flaw May Let Hackers Track You

Several Fast Pair-supported audio devices are failing to reject connection requests when not in pairing mode. Check the list to see if your headphones, earbuds, or speakers are at risk.

Jibin Joseph
 & Jibin Joseph Contributor

Our team tests, rates, and reviews more than 1,500 products each year to help you make better buying decisions and get more from technology.

Our Expert
LOOK INSIDE PC LABS HOW WE TEST
65 EXPERTS
43 YEARS
41,500+ REVIEWS
(Credit: Christian de Looper/PCMag)

A team of researchers has discovered a critical vulnerability in Google’s Fast Pair technology that allows attackers to track a victim's location by hacking their headphones or speakers.

As first reported by Wired, the flaw was discovered by researchers at Belgium’s KU Leuven University, who dubbed it WhisperPair. It affects Bluetooth headphones from a range of brands that support Fast Pair, including Sony, Google, OnePlus, Nothing, Xiaomi, Marshall, Anker, Jabra, and Harman. (See the list below.)

The flaw lies in how some brands have implemented the Fast Pair protocol. To start pairing, a phone or laptop sends a message to the headphones. If they are not in pairing mode, they should reject the request. However, researchers found that vulnerable devices fail to reject these requests, allowing unauthorized parties to complete the pairing process without the user's consent.

To carry out the WhisperPair attack, a hacker needs just about 10 seconds within 14 meters of the Bluetooth device. Once they gain access, they have full control of it. They can turn up the volume, change tracks, or even record a conversation. What’s worse, if the earbuds support Google’s Find Hub network, they can also track the user’s location.

Recommended by Our Editors

Google Will Soon Spot Fake Calls on Supported Android Phones
Google Will Soon Spot Fake Calls on Supported Android Phones
Report Cites Misinformation As Key Threat to Election Security, Doesn't Name the Biggest Offenders
Report Cites Misinformation As Key Threat to Election Security, Doesn't Name the Biggest Offenders
Meta's AI Chatbot Allegedly Helped Hackers Hijack Instagram Accounts
Meta's AI Chatbot Allegedly Helped Hackers Hijack Instagram Accounts

The researchers shared their findings with Google in August, received a $15,000 bounty, and published their study after a 150-day non-disclosure window.

Google has confirmed that the flaw was due to the improper implementation and said that it recommended fixes to manufacturers in September. "We worked with these researchers to fix these vulnerabilities, and we have not seen evidence of any exploitation outside of this report's lab setting,” a company spokesperson tells Engadget.

Both Google and the researchers recommend that at-risk users install the latest firmware update for their audio devices. “The only way to prevent WhisperPair attacks is by performing a software update,” the researchers say.

Which Earbuds and Headphones Are At Risk?

Researchers have provided a list of at-risk models. The ones below are labeled as "vulnerable" by the team and should be updated. The process for updating firmware varies by brand; check your device’s instruction manual for more details. Several more devices are not vulnerable to WhisperPair, but researchers still recommend keeping them up to date: Sonos Ace, Audio-Technica ATH-M20xBT, JBL Flip 6, Jabra Speak2 55 UC, Bose QC Ultra Headphones, Poly VFree 60 Series, Beosound A1 2nd Gen, and Beats Solo Buds.

Earbuds

Headphones

About Our Expert

Jibin Joseph

Jibin Joseph

Contributor

Jibin is a tech news writer based out of Ahmedabad, India. Previously, he served as the editor of iGeeksBlog and is a self-proclaimed tech enthusiast who loves breaking down complex information for a broader audience.

Read the latest from Jibin Joseph

Read full bio