Flaws in how 17 models of headphones and speakers use Google’s one-tap Fast Pair Bluetooth protocol have left devices open to eavesdroppers and stalkers.
Link to see devices impacted: https://whisperpair.eu/
GOOGLE DESIGNED THE wireless protocol known as Fast Pair to optimize for ultra-convenient connections: It lets users connect their Bluetooth gadgets with Android and ChromeOS devices in a single tap.
Bluetooth pairing is not a difficult process, imagine creating a whole new attack vector for that. And of course security was an afterthought. Capitalism is amazing for wasting resources and getting bad results for it.
My wired headphones dont have this issue, likely sound far better, require no batteries, and are user serviceable.
Guys, we peaked in 2012 (potentially earlier) as a race technologically, stop trying to create new grifts for billionaires.
I want to agree, I used to hate wireless headphones, until I realised that wired don’t last long if I wear them anywhere outside my desk.
The cable keeps getting caught in door handles, accidentally stepped when I need to crouch and then snapped when I get up or the plug simply gives up from being constantly bent inside the pocket.
I’m a person who can use a soldering but that doesn’t make repair much easier, phones don’t usually like the 3.5mm jacks available in the market, opening and closing whatever plastic thing covers the contacts or the back of the drivers often break after a third time opening it.
The cables themselves start to breakdown and that time I ordered a whole replacement cable off eBay the phone lost all bass (probably high impedance).
Another issue is that modern phones output a very quiet signal that doesn’t get loud enough even when plugged the HD25.
In end wireless headphones solve this problem, I still use wired headphones on my desk. But for mobile use wireless it is.
Sennheiser hd630 is amazing. I use my technics az80 at work to block noise and appreciate having no wires getting caught up on mechanical stuff.
“But that wire…”
- some techno gusher probably.
You can hardly find wired headphones now. When you do they are junk. I want a sturdy headphone where they did not save every penny making the wire near microscopic, cheap joints, etc.
Paying more does not mean it is quality either.
Recording musicians use them for monitoring. Bluetooth has too much latency when you are trying to keep your groove in the pocket.
I’m finding lots of great 10-15 yo used recording gear/tech that was originally $200+, going for cheap, like less than $50, because it doesn’t have Bluetooth, which you don’t want with recording gear anyway.
What’s your budget? over ears or earbuds? if over ears open back or sealed?
Idk, 20, 40, more if needed if it will hold up to use at work. I usually get the sports ones that have the ear loop so you don’t have to constantly put earbuds back in the ear.
You can hardly find wired headphones now. When you do they are junk. I want a sturdy headphone
Shop where the musicians shop.
Go to where the audiophiles are. There are plenty of headphones and IEMs (earbuds) under $50 (and even $25) that sound fantastic and sound better than $200 dollar options out there. My favs that I actually tried are the MOONDROP Chu 2 $23, Koss KSC75 $20, and the Sennheiser HD 600 (which I got on eBay for like $250). Check out the audiophile subreddit, there are plenty of people who have made ranking lists.
Just see mondrop chu c2 for 20$ destroying 150$ Bluetooth earphones.
We all laughed at the time, but The Matrix was right - civilization peaked in 1999.
Talking about computers, definitely yes, functionally. The socially important problems got solutions, imperfect, but replaceable ones.
We had publishing to all the world via Usenet and Web, file exchange with all the world via plenty of FTP servers, way to find those files and published pages via search engines (those real ones, which just indexed file attributes and page contents), our social identities were ICQ numbers and email addresses, our way to repost stuff was sending a link, our way to rate and discover good things was web directories made by people.
For evaluating something on the Web a vote is simply not a universal unit. Every vote is a different person. So upvotes and downvotes lead to numbers being important for ratings on something, which means that the least useful things get the biggest ratings. Because everything useful is offensive to someone.
The only downside that environment had was insufficient easiness of making a webpage, hosting a website, hosting something else.
If I were imagining a solution, it would look like an all-in-one suite like Hotline, but based on how the Web was then, including an intuitive editor (something more like QuarkXPress) for pages and with hosting and mirroring being transparent. A p2p system with cryptographic identities, but manual choice of hosting something. With a p2p contact directory, but many trees of trust inside that directory, where one tree of trust is like one email provider or one xmpp server for identities, that you subscribe to. With “domains” (sort of) being done similarly to that contact directory. With good old Kademlia for finding contacts, domains, groups and separate pages, posts or files. And other than good old Kademlia, possibly some kind of interchangeable client-server things, like storage areas and trackers and relays, to help with offline messaging and NAT’s.
OK, my thought floated away, intuitive management of anything creative in that system is honestly the main flaw of how it was in year 1999. I even wonder if that “agentic AI” they are talking about has a place in such an application suite.
I love not having to worry about charging my headphones. I had wireless for years but I went back to wired.
I don’t find this being an issue when I have to charge it maybe once a month. Not talking about IEMs of course.
My issue was needing them when they didn’t have a charge or had low charge, and not being able to charge them while using them.
Laughs in the archaic technology of the 3.5mm audio jack
All the more reason to use my IEMs… At least when I’m not flying.
Why can’t you use them flying?
I think some iems aren’t designed with pressure variations in mind.
They don’t have active noise cancelling.
get a brain like mine that automagically tunes out background noise or just shuts down hearing entirely when overstimulated :3
get a brain like mine
Sure
💉🔪✂
Is that you, Abby Normal? 🧠
Pff, obviously you never heard of wiretapping…
Could they? Definitely, but there’s a really uneven balance between effort and reward. I do listen to some dank tunes though…
Placing a bet now: under 10% of vulnerable units will be patched within a year’s time.
I’ll add to that- within a year’s time, less than 50% of the affected devices will even have a patch available.
I like your optimism.
I mean 0.1% is still technically under 10%
Ah. I should really figure out how to read. Whoops.
the rest of the 90% of the devices are probably broken since they are so cheaply made and designed to snap or have garbage batteries that can’t hold a charge for more then 20 minutes .
I am certain that my AliExpress headphones will get updates in the next few weeks!
deleted by creator
laughs in 3.5mm
Laughs in 6.3 mm
6.3 mm
and huge muscles from lugging that thing around
security researchers […] are revealing a collection of vulnerabilities they found in 17 audio accessories that use Google’s Fast Pair protocol and are sold by 10 different companies: Sony, Jabra, JBL, Marshall, Xiaomi, Nothing, OnePlus, Soundcore, Logitech, and Google itself.
So like every brand besides Apple?
Bowers & Wilkins is safe
And Bose and Samsung and probably a couple more.
Phillips is another one not on that list. European company that AFAIK have mostly resisted the enshittification urge.
Haven’t Philips enshittified almost entirely outside of healthcare products? Everything else is licensing the brand.
that was an interesting talk and demo
But you need to be in close proximity (~15m max) to stalk a victim? You might as well just follow them around physically then. Perhaps when the victim is in a private location, eavesdrop on their conversation or locating their position within there, might be a possibility. But ear raping would, of course, constitute the most significant danger of all. Also WhisperPair, not WhisPair?
If you want to listen to their mic via bluetooth or whatever, yes. But there’s also this:
Some devices also support Google’s Find Hub network. This enables users to find their lost accessories using crowdsourced location reports from other Android devices. However, if an accessory has never been paired with an Android device, an attacker can add the accessory using their own Google account. This allows the attacker to track the user via the compromised accessory.
If the devices weren’t previously linked to a Google account … then a hacker could … also link it to their Google account.
This already severely limits the pool of potential victims; but still a more practical exploit indeed. It’s almost as if this BLE tracking is a feature, rather than an exploit. And if you want to be notified of a device following you around, one has to perpetually enable BLE on their smartphone. But of course, headphone jacks are a thing of the past, and wireless is clearly the future. :)
By all means call out if I’ve misunderstood, but the tracking vulnerability isn’t that BLE (by design) makes devices visible to everyone within range, it’s that by binding an unclaimed device to an account you gain the ability to look up that device via Google’s service, rather than needing to be nearby - you can simply ask Google to call on its global network to find “your” device. In other words, there’s nothing stopping me from setting an alert when a given BT device is nearby, that’s spot on, but I can’t fire up Google to look up that device when I’m not nearby, or look up its location history.
And yes needing to have never been connected to an Android device definitely reduces the victim pool, but (and to address the other reply) I’m guessing it’d mean devices that have only ever been connected to iOS, Linux, Windows etc aren’t “claimed” and can still be enrolled by the attacker. It’s not about default creds, only having used devices that don’t enrol with Google is enough, as it leaves the device available to claim.
3.5mm ftw and all that, but I doubt all the parents of teenagers with potentially vulnerable devices will have much luck convincing their kids to switch!
I understand you’ve read the comment as a single thing, mainly because it is. However, the BLE part is an additional piece of critique, which is not directly related to this specific exploit; neither is the tangent on the headphone jack “substitution”. It’s, indeed, this fast pairing feature, which is the subject of the discussed exploit; so you understood that correctly (or I misunderstood it too…).
I’m however of the opinion, BLE being a major attack vector, by design. These are IoT devices that, especially when “find my device” is enabled (which in many cases isn’t even optional: “turned off” iPhones for example), do announce themselves periodically to the surrounding mesh, allowing for the precise location of these devices; and therefore also the persons carrying them. If bad actors gain access, to for example Google’s Sensorvault (legally in the case of state-actors), or would find ways of building such databases themselves; then I’d argue you’re in serious waters. Is it a convenient feature, to help one relocate lost devices? Yes. But this nice-to-have, also comes with this serious downside, which I believe doesn’t even near justify the means. Rob Braxman has a decent video about the subject if you’re interested.
It’s not even a case of kids not wanting to switch, most devices don’t even come with 3.5mm jacks anymore…
That’s literally any device. Goes all the way back to things like people setting up routers and not changing the default password so anyone else can get in. That’s just user error plain and simple.
Nothing from Samsung in the list, now I don’t feel so bad about owning a Galaxy :D
