Google Fast Pair Flaw Exposes Bluetooth Devices to WhisperPair Attack

Security researchers at NCC Group have disclosed a new Bluetooth pairing attack, dubbed WhisperPair, that exploits Google’s Fast Pair protocol to silently pair a malicious device with a victim’s Android handset without any user interaction. The flaw resides in the Fast Pair implementation’s handling of BLE (Bluetooth Low Energy) advertisements, where the protocol accepts a specially crafted Fast Pair “device info” packet that includes a falsified device ID and a nonce without properly validating the cryptographic handshake that follows. The attack leverages the protocol’s reliance on a one‑time ECDH key exchange that is not authenticated end‑to‑end, allowing an adversary within BLE range to inject a rogue pairing request that the victim device automatically accepts.

In practice, the WhisperPair exploit works even when the targeted device has previously been paired with legitimate headphones or speakers. The attacker first sends a BLE advertisement containing a malicious Fast Pair payload; the victim’s Android device interprets this as a valid Fast Pair “nearby” signal and initiates the ECDH key agreement. Because the ECDH public key is not verified against a trusted certificate, the attacker can complete the handshake and establish a RFCOMM channel. Once the channel is open, the attacker can stream audio, capture microphone input, read contacts, and exfiltrate any data that the paired Bluetooth profile exposes. The vulnerability affects a broad range of Fast Pair‑enabled products, including Google Pixel Buds (A‑Series), Samsung Galaxy Buds2, Sony WH‑1000XM4, Bose QuietComfort Earbuds, and numerous other IoT audio devices, potentially exposing millions of users.

Google has acknowledged the issue and released a patch for Android 12 and later versions (2023‑11‑05) that introduces a confirmation dialog for Fast Pair requests and adds validation of the ECDH public key against a trusted root. The flaw has been assigned CVE‑2023‑38421 with a CVSS score of 8.1, reflecting its high impact and low attack complexity. Several OEM partners have begun rolling out firmware updates for their devices, but many models remain unpatched as of the publication date. Users are advised to apply the latest Android security update, check for firmware upgrades from their headphone or speaker manufacturer, and, if possible, disable Fast Pair in Bluetooth settings to reduce exposure to WhisperPair attacks.