Sloppy implementation of Google spec leaves 'hundreds of millions' of devices vulnerable

Hundreds of millions of wireless earbuds, headphones, and speakers are vulnerable to silent hijacking due to a flaw in Google's Fast Pair system that allows attackers to seize control without the owner ever touching the pairing button.

The issue, dubbed "WhisperPair," was uncovered by researchers at KU Leuven, who found that many Bluetooth accessories claiming support for Fast Pair fail to properly enforce one of its most basic safety checks. Based on Fast Pair's uptake, the team says the flaw likely affects "hundreds of millions" of accessories already in circulation.

In theory, Fast Pair devices are supposed to accept new pairing requests only when the user explicitly places them in pairing mode. In practice, the researchers say, many products will happily accept a new connection request at any time.

That creates an opening for attackers within Bluetooth range to step in and pair their own device, even if ...