Physical Address
304 North Cardinal St.
Dorchester Center, MA 02124
Google offers a Checker application Through the Play Store which sellers must turn on as part of getting their products certified to use Fast Pair. According to its description, the app “verifies that Fast Pair is properly implemented on a Bluetooth device,” and produces reports on whether the product passes or fails an assessment of its Fast Pair implementation. The researchers point out that all of the devices they tested in their work received their Fast Pair certification from Google. This means, most likely, that Google’s app rated it as having passed its requirements, even though its apps had serious flaws. Additionally, Fast Pass certified devices then undergo testing at Google-selected laboratories that review success reports and then directly evaluate actual device samples before manufacturing at scale to ensure compliance with the Fast Pair standard.
Google says the Fast Pair specification provided clear requirements and that the Validator app was designed primarily as a support tool for manufacturers to test basic functionality. Following the revelation by researchers at KU Leuven, the company said it has added new implementation tests specifically geared toward Fast Pair requirements.
Ultimately, researchers say, it’s difficult to determine whether the implementation issues that led to the WhisperPair vulnerabilities were the result of errors on the part of hardware manufacturers or chip makers.
WIRED reached out to all the chipmakers that make the chips used by weak audio accessories — Actions, Airoha, Bestechnic, MediaTek, Qualcomm, and Realtek — but none responded. In its comments to WIRED magazine, Xiaomi noted: “We have internally confirmed that the issue you pointed out was caused by a non-standard configuration by chip suppliers regarding the Google Fast Pair protocol.” Airoha is the manufacturer of the chip used in the Redmi Buds 5 Pro that researchers identified as vulnerable.
Whoever is responsible for the WhisperPair vulnerabilities, researchers stress that one conceptually simple change to the Fast Pair specification would address the more fundamental problem behind WhisperPair: Fast Pair must cryptographically enforce intended pairings from the accessory owner and not allow a rogue secondary “owner” to pair without authentication.
Currently, Google and many device manufacturers have software updates ready to fix the identified vulnerabilities. But installations of these patches are likely to be inconsistent, as is almost always the case in IoT security. The researchers urge all users to update their vulnerable extensions, and direct users to a website they have created that provides information List of searchable devices Affected by WhisperPair. In this regard, they say everyone should use WhisperPair as a more general reminder to update all their IoT devices.
They say the broader message of their research is that device manufacturers need to prioritize security when adding ease-of-use features. After all, the Bluetooth protocol itself didn’t have any of the vulnerabilities they discovered, just the one-click protocol that Google built on top of it to make pairing more convenient.
“Yes, we want to make our lives easier and our devices run more smoothly,” says Antonievich. “Convenience does not immediately mean you are less safe. But in our pursuit of convenience, we should not neglect security.”