• A security flaw could expose headphones to hacking
• Risk of eavesdropping or tracking when within wireless range

Security researchers at a Belgian university have uncovered a serious vulnerability in Google’s Fast Pair feature, which is used to connect headphones and speakers to Android and ChromeOS devices with a single tap.

The researchers named the set of vulnerabilities “WhisperPair.”

Investigations showed that seventeen major models of headphones and speakers can be accessed with ease by hackers, involving devices from brands such as Google, Jabra, JBL, Logitech, Marshall, Nothing, OnePlus, Sony, Soundcore, and Xiaomi.

The flaw allows hackers to control the headphones’ microphones and play audio through them, or eavesdrop on conversations, and may also enable tracking the user’s location if the device is compatible with Google’s Find Hub location system.

Surprisingly, the vulnerability can even affect Apple devices, even if the user has never used any Google product before, allowing hackers to link the device to their own Google account and exploit it for tracking and surveillance.

Hackers only need to be within Bluetooth range and have the target device’s model number, which can be obtained by owning the same device or through a publicly available Google query.

Researchers were also able to exploit a flaw in Fast Pair’s multi-device setup, easily bypassing restrictions that prevent pairing with a second device, and there is no way to disable Fast Pair on Android devices to avoid the vulnerability.

Some affected companies have attempted to release updates to fix the issue, but researchers noted that obtaining these patches requires downloading the manufacturer’s app and installing the fix, something many headphone and speaker users are unaware of.