Google offers a Validator App through the Play Store that vendors have to run as part of getting their products certified to use Fast Pair. According to its description, the app “validates that Fast Pair has been properly implemented on a Bluetooth device,” producing reports on whether a product has passed or failed an evaluation of its Fast Pair implementation. The researchers point out that all of the devices they tested in their work had their Fast Pair implementation certified by Google. That means, presumably, that Google’s app categorized them as passing its requirements, even though their implementations had dangerous flaws. On top of this, certified Fast Pass devices then go through testing in labs Google selects that review pass reports and then directly evaluate physical device samples before large-scale manufacturing to confirm that they align with the Fast Pair standard.
Google says that the Fast Pair specification provided clear requirements and that the Validator App was designed mainly as a supportive tool for manufacturers to test core functionality. Following the KU Leuven researchers’ disclosure, the company says it added new implementation tests specifically geared toward Fast Pair requirements.
Ultimately, the researchers say, it is difficult to determine whether the implementation issues that led to the WhisperPair vulnerabilities came from mistakes on the part of device manufacturers or chipmakers.
WIRED reached out to all the chipmakers who manufacture the chipsets used by the vulnerable audio accessories—Actions, Airoha, Bestechnic, MediaTek, Qualcomm, and Realtek—but none responded. In its comments to WIRED, Xiaomi noted, “We have confirmed internally that the issue you referenced was caused by a non-standard configuration by chip suppliers in relation to the Google Fast Pair protocol.” Airoha is the maker of the chip used in the Redmi Buds 5 Pro that the researchers identified as vulnerable.
Regardless of who is at fault for the WhisperPair vulnerabilities, the researchers emphasize that one conceptually simple change to the Fast Pair specification would address the more fundamental issue behind WhisperPair: Fast Pair should cryptographically enforce the accessory owner’s intended pairings and not allow a secondary, rogue “owner” to pair without authentication.
For now, Google and many device manufacturers have software updates ready to fix the specific vulnerabilities. But installations of those patches are likely to be inconsistent, as it almost always is in internet-of-things security. The researchers urge all users to update their vulnerable accessories, and they point users to a website they created that provides a searchable list of devices affected by WhisperPair. For that matter, they say that everyone should use WhisperPair as a more general reminder to update all of their internet-of-things devices.
The broader message of their research, they say, is that device manufacturers need to prioritize security when adding ease-of-use features. After all, the Bluetooth protocol itself contained none of the vulnerabilities they’ve discovered—only the one-tap protocol Google built on top of it to make pairing more convenient.
“Yes, we want to make our life easier and make our devices function more seamlessly,” says Antonijević. “Convenience doesn’t immediately mean less secure. But in pursuit of convenience, we should not neglect security.”