"Hundreds of millions of wireless earbuds, headphones, and speakers are vulnerable to silent hijacking due to a flaw in Google's Fast Pair system that allows attackers to seize control without the owner ever touching the pairing button. The issue, dubbed "WhisperPair," was uncovered by researchers at KU Leuven, who found that many Bluetooth accessories claiming support for Fast Pair fail to properly enforce one of its most basic safety checks."
"That creates an opening for attackers within Bluetooth range to step in and pair their own device, even if the accessory is already in use by someone else. Once paired, the attacker gets the same level of access as a legitimate owner. Depending on the device, that can mean injecting or interrupting audio, manipulating volume, or, in some cases, activating the microphone. It is the sort of pesky thing that does not require nation-state resources or exotic hardware;"
A flaw named WhisperPair allows attackers within Bluetooth range to pair with and control wireless earbuds, headphones, and speakers without the owner placing devices into pairing mode. Many accessories claiming Fast Pair support fail to enforce the required safety check that restricts pairing to explicit pairing mode. Once paired, an attacker receives the same access as the legitimate owner, enabling actions such as injecting or interrupting audio, changing volume, or activating microphones. The vulnerability stems from incomplete or sloppy implementations of Google's Fast Pair specification rather than a flaw in Bluetooth itself. Some affected accessories also integrate with Google's Find My Device network.
Read at Theregister
Unable to calculate read time
Collection
[
|
...
]