Google has launched a Validator app in the Play Store that vendors must use to certify their products for Fast Pair compatibility. This app checks if Fast Pair is correctly implemented on Bluetooth devices and generates a compliance report. However, researchers found that all devices tested had been certified by Google, which raises concerns as there was a significant flaw in the implementation.
Certified Fast Pair devices are also tested in Google-selected labs to ensure compliance before large-scale production. Following a study from the University of Leuven, Google added new tests tailored to Fast Pair requirements. The researchers highlighted uncertainty around whether the vulnerabilities stemmed from device manufacturers or chip manufacturers. Xiaomi confirmed that a non-standard configuration by the chip supplier caused the issues in their products.
To address the core problem of the WhisperPair vulnerability, researchers suggest that Fast Pair should cryptographically enforce pairing, preventing unauthorized access. Both Google and manufacturers are now preparing software updates to rectify certain vulnerabilities, though patching consistency remains a concern in Internet of Things (IoT) security.
The researchers emphasize the need for device makers to prioritize security when adding user-friendly features. The vulnerabilities stem not from the Bluetooth protocol itself but from the convenience-driven enhancements introduced by Google. Antonijević noted that while convenience is essential, security should not be compromised.
Source link
