Skip to content

WhisperPair Bluetooth hijacking and location tracking via br... #1773

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Closed
carlospolop wants to merge 1 commit into from
Closed

WhisperPair Bluetooth hijacking and location tracking via br... #1773

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
11 changes: 11 additions & 0 deletions src/todo/radio-hacking/pentesting-ble-bluetooth-low-energy.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -267,6 +267,16 @@ for off in range(0, len(img_bytes), CHUNK):
- Prefer Sonoff+Sniffle on Linux for robust channel hopping and connection following. Keep a spare Nordic sniffer as a backup.
- Without pairing/bonding, any nearby attacker can observe writes and replay/craft their own to unauthenticated writable characteristics.

## Fast Pair implementation flaws (WhisperPair)

### Unauthorized pairing via missing pairing-mode check
- Providers should ignore Fast Pair initiation unless in **pairing mode**, but many reply even when idle.
- Send the initiation to a non-pairing device, accept the improper reply, then finish the standard Bluetooth pairing/bonding flow to gain trusted control (including microphone access).

### Find Hub tracking via first Account Key
- The first **Account Key** written by Android during Fast Pair becomes the owner key; accessories never used with Android lack one.
- If the accessory has never Fast-Paired with Android, write your key via Fast Pair, enroll it in **Find Hub**, and you will receive crowdsourced location reports. Alerts can be delayed and Fast Pair logic typically stays enabled on the accessory, so disabling prompts on the phone does not block this.

## References

- [Start hacking Bluetooth Low Energy today! (part 2) – Pentest Partners](https://www.pentestpartners.com/security-blog/start-hacking-bluetooth-low-energy-today-part-2/)
Expand All @@ -280,5 +290,6 @@ for off in range(0, len(img_bytes), CHUNK):
- [Shining Mask BLE protocol notes (BrickCraftDream)](https://github.com/BrickCraftDream/Shining-Mask-stuff/blob/main/ble-protocol.md)
- [Android Bluetooth HCI snoop logging](https://source.android.com/docs/core/connect/bluetooth/verifying_debugging)
- [Adafruit Feather nRF52840 Express](https://www.adafruit.com/product/4062)
- [WhisperPair: Bluetooth hijacking and location tracking via broken Google Fast Pair implementations](https://whisperpair.eu/)

{{#include ../../banners/hacktricks-training.md}}