Submitted 2 days ago by dance_ninja@lemmy.world to technology@lemmy.world
https://www.wired.com/story/google-fast-pair-bluetooth-audio-accessories-vulnerability-patches/
Flaws in how 17 models of headphones and speakers use Google’s one-tap Fast Pair Bluetooth protocol have left devices open to eavesdroppers and stalkers.
Link to see devices impacted: whisperpair.eu
Placing a bet now: under 10% of vulnerable units will be patched.
I like your optimism.
I mean 0.1% is still technically under 10%
I am certain that my AliExpress headphones will get updates in the next few weeks!
I’ll add to that- within a year’s time, less than 50% of the affected devices will even have a patch available.
the rest of the 90% of the devices are probably broken since they are so cheaply made and designed to snap or have garbage batteries that can’t hold a charge for more then 20 minutes .
Laughs in the archaic technology of the 3.5mm audio jack
All the more reason to use my IEMs… At least when I’m not flying.
Why can’t you use them flying?
Pff, obviously you never heard of wiretapping...
Could they? Definitely, but there’s a really uneven balance between effort and reward. I do listen to some dank tunes though…
GOOGLE DESIGNED THE wireless protocol known as Fast Pair to optimize for ultra-convenient connections: It lets users connect their Bluetooth gadgets with Android and ChromeOS devices in a single tap.
Bluetooth pairing is not a difficult process, imagine creating a whole new attack vector for that. And of course security was an afterthought. Capitalism is amazing for wasting resources and getting bad results for it.
A lot of people genuinely find Fast Pair to be a big improvement over traditional Bluetooth pairing. So why is it such a bad idea for a company to design a protocol that solves the problem? Also Bluetooth pairing has had its own share of vulnerabilities over the years this issue isnt really unique to Fast Pair.
To each their own, no doubt. Personally I’m just in awe at how modern tech actually makes people tech-illiterate, and seemingly at a faster clip each year. Throw in an additional attack surface and that just makes it, for me, net minus. There are social and political implications to being tech-illiterate and tech-dependent (especially dependent on foreign and/or rogue states), which is another minus in my book.
I think it’s far more common for devices to get pairing wrong than to get it right.
Just a few of the very common issues I’ve seen in various devices:
On this note: if you root your webos tv there’s an app to truly disable Bluetooth, assuming you don’t use it. Imagine my surprise when one day my tv turned on with a request to allow my neighbors phone to connect to it? Modern convenience. I’m sure my neighbor just fat fingered the device list while trying to connect something else but the fact that it was even an option is absurd
I’d agree security needs more attention when developing protocols and products, and, I’d also consider Bluetooth simple. That being said, I know plenty of folks that don’t like the Bluetooth pairing process, especially those without a technical background.
Fast Pair is really convenient, and I’d say it can open the door for a lot of new experiences, but I do wish the developers put more effort into their TARA.
security researchers [...] are revealing a collection of vulnerabilities they found in 17 audio accessories that use Google’s Fast Pair protocol and are sold by 10 different companies: Sony, Jabra, JBL, Marshall, Xiaomi, Nothing, OnePlus, Soundcore, Logitech, and Google itself.
So like every brand besides Apple?
And Bose and Samsung and probably a couple more.
Bowers & Wilkins is safe
that was an interesting talk and demo
laughs in 3.5mm
Laughs in 6.3 mm
6.3 mm
and huge muscles from lugging that thing around
Meh. So realistic attack would be that you know someone you want to track has one of those 17 models (which is hard to tell by just looking at the headphones) and never paired it with Android and he carries them everywhere. You force-pair and now you can track them. It’s pretty silly as a random attack because why would you track a random person. It’s silly to use it to record conversations because from 15 m there are easier methods to do it. I would say the risk that this will be used to actually track/record someone is low.
Did anyone else get a “page not found” error when trying to see the list of effected headphones?
The website works on my end
I clicked on your link. Same thing. I’m using duck such go. Wonder if that’s why.
Affected*
Damn it. I knew that too. Thanks for pointing it out.
But you need to be in close proximity (~15m max) to stalk a victim? You might as well just follow them around physically then. Perhaps when the victim is in a private location, eavesdrop on their conversation or locating their position within there, might be a possibility. But ear raping would, of course, constitute the most significant danger of all. Also WhisperPair, not WhisPair?
If you want to listen to their mic via bluetooth or whatever, yes. But there’s also this:
Some devices also support Google’s Find Hub network. This enables users to find their lost accessories using crowdsourced location reports from other Android devices. However, if an accessory has never been paired with an Android device, an attacker can add the accessory using their own Google account. This allows the attacker to track the user via the compromised accessory.
If the devices weren’t previously linked to a Google account … then a hacker could … also link it to their Google account.
This already severely limits the pool of potential victims; but still a more practical exploit indeed. It’s almost as if this BLE tracking is a feature, rather than an exploit. And if you want to be notified of a device following you around, one has to perpetually enable BLE on their smartphone. But of course, headphone jacks are a thing of the past, and wireless is clearly the future. :)
That’s literally any device. Goes all the way back to things like people setting up routers and not changing the default password so anyone else can get in. That’s just user error plain and simple.
Nothing from Samsung in the list, now I don’t feel so bad about owning a Galaxy :D
bridgeenjoyer@sh.itjust.works 2 days ago
My wired headphones dont have this issue, likely sound far better, require no batteries, and are user serviceable.
Guys, we peaked in 2012 (potentially earlier) as a race technologically, stop trying to create new grifts for billionaires.
Prox@lemmy.world 1 day ago
We all laughed at the time, but The Matrix was right - civilization peaked in 1999.
vacuumflower@lemmy.sdf.org 1 day ago
Talking about computers, definitely yes, functionally. The socially important problems got solutions, imperfect, but replaceable ones.
We had publishing to all the world via Usenet and Web, file exchange with all the world via plenty of FTP servers, way to find those files and published pages via search engines (those real ones, which just indexed file attributes and page contents), our social identities were ICQ numbers and email addresses, our way to repost stuff was sending a link, our way to rate and discover good things was web directories made by people.
For evaluating something on the Web a vote is simply not a universal unit. Every vote is a different person. So upvotes and downvotes lead to numbers being important for ratings on something, which means that the least useful things get the biggest ratings. Because everything useful is offensive to someone.
The only downside that environment had was insufficient easiness of making a webpage, hosting a website, hosting something else.
If I were imagining a solution, it would look like an all-in-one suite like Hotline, but based on how the Web was then, including an intuitive editor (something more like QuarkXPress) for pages and with hosting and mirroring being transparent. A p2p system with cryptographic identities, but manual choice of hosting something. With a p2p contact directory, but many trees of trust inside that directory, where one tree of trust is like one email provider or one xmpp server for identities, that you subscribe to. With “domains” (sort of) being done similarly to that contact directory. With good old Kademlia for finding contacts, domains, groups and separate pages, posts or files. And other than good old Kademlia, possibly some kind of interchangeable client-server things, like storage areas and trackers and relays, to help with offline messaging and NAT’s.
OK, my thought floated away, intuitive management of anything creative in that system is honestly the main flaw of how it was in year 1999. I even wonder if that “agentic AI” they are talking about has a place in such an application suite.
sefra1@lemmy.zip 1 day ago
I want to agree, I used to hate wireless headphones, until I realised that they don’t last long if I wear them anywhere outside my desk.
The cable keeps getting caught in door handles, accidentally stepped when I need to crouch and then snapped when I get up or the plug simply gives up from being constantly bent inside the pocket.
I’m a person who can use a soldering but that doesn’t make repair much easier, phones don’t usually like the 3.5mm jacks available in the market, opening and closing whatever plastic thing covers the contacts or the back of the drivers often break after a third time opening it.
The cables themselves start to breakdown and that time I ordered a whole replacement cable off eBay the phone lost all bass (probably high impedance).
Another issue is that modern phones output a very quiet signal that doesn’t get loud enough even when plugged the HD25.
In end wireless headphones solve this problem, I still use wired headphones on my desk. But for mobile use wireless it is.
coronach@lemmy.sdf.org 8 hours ago
Indeed. I have had to replace my studio headphones multiple times because I broke them that way. My earbuds are great for travel - much smaller and easy to walk around with.
definitemaybe@lemmy.ca 18 hours ago
I’m almost exactly in the same boat, except even at my desk I want wireless. I often turn my camera off and get up to make coffee or go pee in big meetings. It’s great. Even when I’m presenting things, it’s usually only at a specific time, and I can still talk when I’m away from my desk (flip-to-mute microphones are great.)
I have several sets of wired headphones I used to love. I’d buy several sets at once so I already had a replacement when they inevitably broke But I literally can’t remember the last time I used a pair of wired headphones. I only miss 3.5mm on my phone for plugging into my car’s aux port.
bridgeenjoyer@sh.itjust.works 1 day ago
The quiet issue is due to impedance. You need a better amplifier than your phones garbage dac. High ohm headphones require more juice.
I dont listen to headphones on the go really. Only in office. Usually it sounds awful and there’s too much noise around me to enjoy it, and I prefer to enjoy music on my actual listening setup at home amyway, headphones will always sound worse due to no depth. But im weird about sound. Music isnt background noise to me.
hector@lemmy.today 1 day ago
You can hardly find wired headphones now. When you do they are junk. I want a sturdy headphone where they did not save every penny making the wire near microscopic, cheap joints, etc.
Paying more does not mean it is quality either.
bridgeenjoyer@sh.itjust.works 1 day ago
Beyer dt 770. Very tough.
My mains are those, grado rs2, and senn hd595. Some sony md7506 but I hate the sound on them.
BarneyPiccolo@lemmy.today 1 day ago
Recording musicians use them for monitoring. Bluetooth has too much latency when you are trying to keep your groove in the pocket.
I’m finding lots of great 10-15 yo used recording gear/tech that was originally $200+, going for cheap, like less than $50, because it doesn’t have Bluetooth, which you don’t want with recording gear anyway.
kent_eh@lemmy.ca 1 day ago
Shop where the musicians shop.
abfm90@lemmy.world 1 day ago
Just see mondrop chu c2 for 20$ destroying 150$ Bluetooth earphones.
lenz@lemmy.ml 1 day ago
Go to where the audiophiles are. There are plenty of headphones and IEMs (earbuds) under $50 (and even $25) that sound fantastic. My favs that I actually tried are the MOONDROP Chu 2 $23, Koss KSC75 $20, and the Sennheiser HD 600 (which I got on eBay for like $250). Check out the audiophile subreddit, there are plenty of people who have made ranking lists.
RaccoonBall@lemmy.ca 1 day ago
What’s your budget? over ears or earbuds? if over ears open back or sealed?
supersquirrel@sopuli.xyz 1 day ago
The Sony XM3 and other headphones in the series are a great option since you don’t have to choose, they have a headphone jack so you can go wired if you want.
bitchkat@lemmy.world 1 day ago
By wired do you mean exclusively RCA or do you count usb as well? Both pair of my Sennheisers work via USB if you plug it in.
aceshigh@lemmy.world 1 day ago
I love not having to worry about charging my headphones. I had wireless for years but I went back to wired.
dubyakay@lemmy.ca 1 day ago
I don’t find this being an issue when I have to charge it maybe once a month. Not talking about IEMs of course.
anon_8675309@lemmy.world 1 day ago
“But that wire…”
UltraMagnus0001@lemmy.world 1 day ago
Sennheiser hd630 is amazing. I use my technics az80 at work to block noise and appreciate having no wires.