Wireless Earbuds Can Be Hacked. Here’s How to Protect Yourself.

These attacks sound scary, but they’re likely not as dangerous as they might seem. For starters, none of these attacks can be performed remotely: An attacker must be within range of the Bluetooth device they’re targeting. The earbuds or headphones must also be connected and actively in use.

According to Wirecutter writer and audio expert Lauren Dragan, most modern headphones, including most of the devices vulnerable to the WhisperPair attack, go into standby or sleep mode when folded up or removed by the wearer to save power. The researchers told Wirecutter that they did not evaluate how an attack would work with the headphones in standby mode.

To stop someone from maliciously tracking a Bluetooth device you own, follow these steps:

1. Update the device’s firmware.
2. Perform a factory reset.
3. Use Fast Pair to connect your device with an Android phone or Chromebook. This should associate the device with your Google account.

If someone has hijacked your Bluetooth device, you should also see an unwanted-tracker alert on your phone — although the researchers pointed out that people would see their own device listed in such an alert and likely ignore the warning.

A hacker probably wouldn’t be able to pick up much audio, though. Headphone mics are designed to pick up the voice of the wearer and filter out other noises. Lauren tested this out with a pair of Sony WH-1000XM6 headphones by disabling standby mode and recording audio output from the headphones when they were around her neck, in her hand, and on a table, and with ambient café noises playing in the background.

She found that once the headphones were off her ears, the mic wasn’t able to capture clear audio. Her voice was partly audible in the recording when the headphones were still on her neck, but even that was difficult to hear. It’s unlikely that stray headphones could pick up your own voice, let alone a nearby conversation.

“In our tests, we validated whether microphone access was possible; we didn’t measure at what distances it would still pick up a conversation,” said Sayon Duttagupta, one of the researchers.

Wireless earbuds and headphones will always be more vulnerable to security issues than wired models. We saw an attack last June that affected more devices than WhisperPair and could also potentially initiate phone calls, though as with WhisperPair the threat to most people was limited. Apple AirPods have also been patched against similar threats.

If you tend to share highly sensitive information over the phone, we recommend that you use a wired headset instead of a Bluetooth one.