During my summer research internship at COSIC, I discovered several flaws in the Google Fast Pair implementation on millions of Bluetooth accessories. These flaws allow an attacker to forcibly pair with a vulnerable device without user interaction.

Once paired, an attacker can control the audio stream and activate the microphones of the accessory. Users without an Android device are especially vulnerable, as an attacker may be able to track the location of the accessory using Google’s Find Hub network.

Google classified this vulnerability as critical and awarded a $15,000 bounty.

More details about the vulnerability and its impact can be found on the website whisperpair.eu.