Security Flaws Exposed in Numerous Wireless Audio Devices
Wireless technology has made life easier for many of us, enabling one-tap connections between our Bluetooth devices and our phones or computers. Regrettably, a group of researchers has discovered a significant vulnerability in this system. This flaw could allow a hacker to take control of hundreds of millions of wireless headphones, speakers, and earbuds without the owner's knowledge. The scary part is that this could happen even if you've never owned a specific tech product.
The WhisperPair Threat
Security researchers have unveiled a series of vulnerabilities in 17 audio accessories, sold by 10 different companies. These devices use a wireless protocol designed for easy connections. The researchers have termed the collection of hacking techniques as WhisperPair. Anybody within Bluetooth range of these devices, typically around 50 feet, can silently connect with the audio peripherals and gain control over them.
The extent of control a hacker can gain varies from device to device. In some cases, the hacker can disrupt or take over audio streams or phone conversations, play their own audio through the victim’s device at any volume, or even covertly take over the microphones to listen to the surrounding environment. Even worse, some devices could be exploited to allow stealthy high-resolution tracking.
One researcher explains the severity of the threat, "You’re walking down the street with your headphones on, listening to some music. In less than 15 seconds, we can hijack your device. This means that I can turn on the microphone and listen to your surroundings. I can inject audio. I can track your location.”
Addressing the Issue
Upon discovery of these flaws, the researchers coordinated with the company that developed the wireless protocol. The company acknowledged the findings and indicated its efforts to rectify the problem. They have alerted the manufacturers of the vulnerable devices, many of whom have released security updates. However, the researchers warn that due to most consumers' lack of awareness about updating software on devices like headphones or speakers, the WhisperPair vulnerabilities may still persist in vulnerable accessories for a significant period.
In most instances, applying the updates requires downloading a manufacturer app on a phone or computer. Unfortunately, this is a step most users never take and are often unaware is necessary. The researchers emphasize that if you don't have the app of the manufacturing company, then you'll never know that there's a software update for your device, leaving you vulnerable.
Understanding the Flaws
The WhisperPair attack capitalizes on a series of flaws in the implementation of the wireless protocol in the devices the researchers examined. Most fundamentally, the protocol's specifications state that devices shouldn’t be able to pair with a new computer or phone while already paired. However, for the 17 vulnerable devices, anyone can silently pair with the target device, even if it’s already paired.
Using the vulnerabilities they discovered, an attacker would only need to be in Bluetooth range and obtain a specific ID value unique to the target device model. The researchers found that they could query a publicly accessible API for every possible ID and determine them for all devices.
A Call for Enhanced Security
While the company that designed the wireless protocol and many device manufacturers have software updates ready to fix the specific vulnerabilities, the researchers stress that one simple change to the protocol would address the WhisperPair issue: the protocol should cryptographically enforce the accessory owner’s intended pairings and not allow a secondary, rogue “owner” to pair without authentication.
Moreover, the researchers urge all users to update their vulnerable accessories and provide a website with a searchable list of devices affected by WhisperPair. They also stress that everyone should use this incident as a reminder to update all of their devices.
Ultimately, the researchers want to emphasize that device manufacturers need to prioritize security when adding ease-of-use features. They shared, “Convenience doesn’t immediately mean less secure. But in pursuit of convenience, we should not neglect security.”