Hundreds of Millions of Audio Devices Need a Patch to Prevent Wireless Hacking and Tracking

dance_ninja@lemmy.world · 21 hours ago

Hundreds of Millions of Audio Devices Need a Patch to Prevent Wireless Hacking and Tracking

postnataldrip@lemmy.world · 18 hours ago

If you want to listen to their mic via bluetooth or whatever, yes. But there’s also this:

Some devices also support Google’s Find Hub network. This enables users to find their lost accessories using crowdsourced location reports from other Android devices. However, if an accessory has never been paired with an Android device, an attacker can add the accessory using their own Google account. This allows the attacker to track the user via the compromised accessory.

PierceTheBubble@lemmy.ml · 18 hours ago

If the devices weren’t previously linked to a Google account … then a hacker could … also link it to their Google account.

This already severely limits the pool of potential victims; but still a more practical exploit indeed. It’s almost as if this BLE tracking is a feature, rather than an exploit. And if you want to be notified of a device following you around, one has to perpetually enable BLE on their smartphone. But of course, headphone jacks are a thing of the past, and wireless is clearly the future. :)

postnataldrip@lemmy.world · 9 hours ago

By all means call out if I’ve misunderstood, but the tracking vulnerability isn’t that BLE (by design) makes devices visible to everyone within range, it’s that by binding an unclaimed device to an account you gain the ability to look up that device via Google’s service, rather than needing to be nearby - you can simply ask Google to call on its global network to find “your” device. In other words, there’s nothing stopping me from setting an alert when a given BT device is nearby, that’s spot on, but I can’t fire up Google to look up that device when I’m not nearby, or look up its location history.

And yes needing to have never been connected to an Android device definitely reduces the victim pool, but (and to address the other reply) I’m guessing it’d mean devices that have only ever been connected to iOS, Linux, Windows etc aren’t “claimed” and can still be enrolled by the attacker. It’s not about default creds, only having used devices that don’t enrol with Google is enough, as it leaves the device available to claim.

3.5mm ftw and all that, but I doubt all the parents of teenagers with potentially vulnerable devices will have much luck convincing their kids to switch!

fishos@lemmy.world · 15 hours ago

That’s literally any device. Goes all the way back to things like people setting up routers and not changing the default password so anyone else can get in. That’s just user error plain and simple.