 |
|
|
|||||
Now would be a good time to update all your Bluetooth audio devices. On Thursday, Wired reported on a security flaw in 17 headphone and speaker models that could allow hackers to access your devices, including their microphones. The vulnerability stems from a faulty implementation of Google's one-tap (Fast Pair) protocol.Security researchers at Belgium's KU Leuven University Computer Security and Industrial Cryptography group, who discovered the security hole, named the flaw WhisperPair. They say a hacker within Bluetooth range would only require the accessory's (easily attainable) device model number and a few seconds."You're walking down the street with your headphones on, you're listening to some music. In less than 15 seconds, we can hijack your device," KU Leuven researcher Sayon Duttagupta told Wired. "Which means that I can turn on the microphone and listen to your ambient sound. I can inject audio. I can track your location." The researchers notified Google about WhisperPair in August, and the company has been working with them since then.Fast Pair is supposed to only allow new connections while the audio device is in pairing mode. (A proper implementation of this would have prevented this flaw.) But a Google spokesperson told Engadget that the vulnerability stemmed from an improper implementation of Fast Pair by some of its hardware partners. This could then allow a hacker's device to pair with your headphones or speaker after it's already paired with your device."We appreciate collaborating with security researchers through our Vulnerability Rewards Program, which helps keep our users safe," a Google spokesperson wrote in a statement sent to Engadget. "We worked with these researchers to fix these vulnerabilities, and we have not seen evidence of any exploitation outside of this report's lab setting. As a best security practice, we recommend users check their headphones for the latest firmware updates. We are constantly evaluating and enhancing Fast Pair and Find Hub security."The researchers created the video below to demonstrate how the flaw worksIn an email to Engadget, Google said the steps required to access the devices microphone or audio are complex and involve multiple stages. The attackers would also need to remain within Bluetooth range. The company added that it provided its OEM partners with recommended fixes in September. Google also updated its Validator certification tool and its certification requirements.The researchers say that, in some cases, the risk applies even to those who don't use Android phones. For example, if the audio accessory has never been paired with a Google account, a hacker could use WhisperPair to not only pair with the audio device but also link it to their own Google account. They could then use Google's Find Hub tool to track the device's (and therefore your) location.Google said it rolled out a fix to its Find Hub network to address that particular scenario. However, the researchers told Wired that, within hours of the patchs rollout, they found a workaround.The 17 affected devices are made by 10 different companies, all of which received Google Fast Pair certification. They include Sony, Jabra, JBL, Marshall, Xiaomi, Nothing, OnePlus, Soundcore, Logitech and Google. (Google says its affected Pixel Buds are already patched and protected.) The researchers posted a search tool that lets you see if your audio accessories are vulnerable.In a statement sent to Engadget, OnePlus said it's investigating the issue and "will take appropriate action to protect our users' security and privacy." We also contacted the other accessory makers and will update this story if we hear back.The researchers recommend updating your audio devices regularly. However, one of their concerns is that many people will never install the third-party manufacturer's app (required for updates), leaving their devices vulnerable.The full report from Wired has much more detail and is worth a read.This article originally appeared on Engadget at https://www.engadget.com/cybersecurity/flaw-in-17-google-fast-pair-audio-devices-could-let-hackers-eavesdrop-194613456.html?src=rss
Category:
Marketing and Advertising
The second season of Amazon's excellent Fallout show is currently airing, but the company is already looking to expand its programming around the popular franchise. Prime Video has greenlit a unscripted reality show titled Fallout Shelter. It will be a ten-episode run with Studio Lambert, the team behind reality projects including Squid Game: The Challenge and The Traitors, as its primary producer. Bethesda Game Studios head honcho Todd Howard is attached as an executive producer. Amazon's description of Fallout Shelter is: "Across a series of escalating challenges, strategic dilemmas and moral crossroads, contestants must prove their ingenuity, teamwork and resilience as they compete for safety, power and ultimately a huge cash prize." It seems fitting that the producer is the same as Squid Game: The Challenge, where a show critiquing capitalism is turned into a competition about winning money. A reality show sounds like the sort of thing you'd find in a Fallout game side quest accompanied by pointed commentary about greed rather than an activity people of the Wasteland would take seriously. Maybe the new series will be an interesting mix of survival skills and dark humor that feels true to the Fallout ethos. But, and I say this as a big viewer of reality shows, Im not holding my breath.The name echos the free-to-play mobile game Bethesda released in 2015. Fallout Shelter lets people build and improve their out Vault-Tec residence, managing the resources for a growing cadre of underground survivors. It seems pretty likely that there will be some type of tie-in between the game and the show, but any details about that might pop up closer to when the program is ready to air. It's currently casting, and no release timeline has been shared. This article originally appeared on Engadget at https://www.engadget.com/entertainment/tv-movies/amazon-is-making-a-fallout-shelter-competition-reality-tv-show-190151855.html?src=rss
Category:
Marketing and Advertising
Verizon is offering a very small mea culpa after Wednesday's massive outage, which drew more than 1.5 million reports on Downdetector and lasted hours. The carrier posted on X that it will offer a $20 credit, but customers must redeem it in the myVerizon app. "This credit isnt meant to make up for what happened. No credit really can," the company wrote. "But its a way of acknowledging your time and showing that this matters to us." Incensed customers have largely replied with incredulity, both at the miniscule amount, and that it isn't being applied automatically. Engadget has reached out to Verizon seeking clarity on whether this credit can be claimed by contacting the carrier or only through the app. We will update this piece if we hear back. Update, January 15 2026, 11:57 PM ET: Verizon says the credit can be claimed through customer service via phone, chat and online in addition to the myVerizon app. This article originally appeared on Engadget at https://www.engadget.com/mobile/how-to-claim-verizons-20-credit-for-wednesdays-service-outage-171909695.html?src=rss
Category:
Marketing and Advertising
All news |
||||||||||||||||||
|
||||||||||||||||||