COSIC Seminar on WhisperPair: "One Tap to Hijack Them All:..." (Nikola Antonijević & Seppe Wyns)

COSIC Seminar - One Tap to Hijack Them All: A Security Analysis of the Google Fast Pair Protocol - Nikola Antonijević (COSIC) + Seppe Wyns (DistriNet) WhisperPair attack: https://whisperpair.eu/ Google’s Fast Pair Service (GFPS) extends Bluetooth pairing with one-tap setup and account synchronisation. This paper presents the first comprehensive security analysis of GFPS. By examining 25 commercial accessories from 16 vendors across 17 unique Bluetooth chipsets, we uncover systemic enforcement failures of the specification’s core security requirements. Moreover, we show that the security failures we have identified in the pairing protocol can be further cascaded, amplifying their impact across the device ecosystem. Although GFPS and Google’s Find Hub network are often treated as distinct services within the broader Google ecosystem, we show that failures in one can produce severe consequences in the other. We demonstrate WhisperPair, a family of practical attacks that enables unauthorised pairing, silent hijacking of audio devices, and covert account binding that registers a victim’s accessory to an attacker’s account, thereby enabling persistent location tracking and stalking via Google Find Hub. These vulnerabilities are not isolated incidents but symptoms of systemic, ecosystem-wide gaps in implementation, validation, and certification. Our analysis exposes that the source of these flaws lies in GFPS’s reliance on fallible, application-layer state checks rather than on cryptographic enforcement, allowing them to propagate across vendors to the end users. To address the root cause, we propose IntentPair, a lightweight protocol modification that cryptographically binds the user’s pairing intent into the key schedule, eliminating the vulnerability by design. Our findings show how a small usability “add-on” can introduce large-scale security and privacy risks for hundreds of millions of users.