Abandoned smartphone glows blue on crowded sidewalk with masked pedestrians and towering skyscrapers showing urban privacy ri
Posted inBreaking News Tech News

Hackers Hijack Headphones in 15 Seconds

No Comments

At a Glance

  • 17 Fast Pair audio devices from 10 brands can be hijacked in under 15 seconds
  • Attackers can listen through mics, inject audio, and track location via Find Hub
  • Google and vendors have issued patches, but most users never install them
  • Why it matters: Your headphones could spy on you even if you’ve never used an Android phone

A design flaw in Google’s one-tap Fast Pair Bluetooth protocol has left hundreds of millions of earbuds, headphones, and speakers open to silent hijacking, according to findings released today by Belgian researchers. The attacks-dubbed WhisperPair-affect 17 models sold under brands including Sony, Jabra, JBL, Marshall, Xiaomi, Nothing, OnePlus, Soundcore, Logitech, and Google itself.

Smartphone with swirling aura and pulsing audio streams showing wireless eavesdropping threat

The KU Leuven University team showed that anyone within 46 feet can pair with a victim’s already-connected accessory, take over its microphone and speakers, and, on some devices, permanently link it to a Google account for covert location tracking. The entire intrusion lasts 10-15 seconds and leaves no on-device log.

How the Attack Works

Fast Pair was built to let Android and ChromeOS users connect audio gear with a single tap. The researchers discovered that the 17 tested devices ignore Google’s own rule that prohibits pairing while already paired. An attacker needs only the target’s public Model ID-a value obtainable by:

  • Buying the same model once
  • Sniffing the initial pairing request
  • Querying a public Google API that lists every Model ID

With that ID, a $35 Raspberry Pi 4 running the proof-of-concept script initiates a new pairing request. The accessory accepts it, drops the legitimate owner, and grants full audio and mic access. On five Sony models and Google’s Pixel Buds Pro 2, an extra bug lets the intruder bind the gadget to a Google account. Once linked, the attacker can track its geolocation through the Find Hub mesh network wherever the victim goes.

Real-World Impact

  • Eavesdropping: Mic audio streams live to the attacker
  • Audio injection: Music, alerts, or offensive sound played at any volume
  • Location stalking: Find Hub updates every few minutes with 10-meter precision
  • Cross-platform risk: Works against iPhone users who have never touched an Android device

Victims may receive Apple or Google safety alerts warning that “your own device” is tracking them, leading many to dismiss the notification as a glitch.

Vendor Responses

Google issued a security advisory today and says it has:

  • Delivered firmware fixes for Pixel Buds Pro 2
  • Updated Android’s Find Hub to block rogue account linking
  • Added new certification tests for manufacturers

Yet within hours the researchers say they bypassed the Find Hub patch, keeping the stalking vector alive. Google told News Of Fort Worth it has seen “no evidence of exploitation in the wild,” but researchers note Google can’t spot attacks that bypass its ecosystem.

Other brands provided mixed reactions:

Company Status
Xiaomi OTA updates rolling out for Redmi Buds 5 Pro
JBL Security patches arriving “over the next few weeks” via JBL app
Logitech Fix integrated into future Wonderboom 4 production; current units lack mic
Jabra Claims June/July patches already covered the issue-researchers dispute timing
OnePlus Still investigating
Marshall, Nothing, Sony No reply to News Of Fort Worth inquiries

The Update Gap

Every patched vendor relies on companion apps to deliver firmware-apps most owners never install. “If you don’t have the Sony app, you’ll never know an update exists,” researcher Seppe Wyns says. Factory-resetting headphones evicts an intruder but re-opens the flaw the moment the device is back in public.

Root Cause

Google’s Validator App certified all 17 devices as Fast-Pair-compliant, yet missed that they allow secondary pairings. Chip suppliers Actions, Airoha, Bestechnic, MediaTek, Qualcomm, and Realtek did not respond to News Of Fort Worth. Xiaomi blames a “non-standard configuration by chip suppliers,” but researchers say blame is diffuse: spec ambiguity, vendor errors, and weak certification combined to create the flaw.

What Users Can Do

  1. Install the manufacturer’s app and apply any firmware update immediately
  2. Check the researchers’ website for a searchable list of affected models
  3. Power off headphones when not in use in public spaces
  4. Treat unexplained Find Hub alerts seriously-even if they name your own gear

## Key Takeaways

  • Convenience-first features can undermine security if not rigorously tested
  • Headphones are now tracking beacons, not just audio accessories
  • Without forced auto-updates, IoT patches reach only a fraction of devices
  • A single specification tweak-cryptographically binding ownership-could have prevented WhisperPair at the design stage

“Convenience doesn’t immediately mean less secure,” researcher Nikola Antonijević says. “But in pursuit of convenience, we should not neglect security.”

Author

  • Megan L. Whitfield is a Senior Reporter at News of Fort Worth, covering education policy, municipal finance, and neighborhood development. Known for data-driven accountability reporting, she explains how public budgets and school decisions shape Fort Worth’s communities.

Comments

No comments yet. Why don’t you start the discussion?

Leave a Reply

Your email address will not be published. Required fields are marked *