A major new set of security vulnerabilities has rocked the Bluetooth audio ecosystem, affecting hundreds of millions of earbuds, headphones, speakers and other accessories that use Google’s Fast Pair protocol. Researchers from the COSIC group at Belgium’s KU Leuven University disclosed the flaws — collectively dubbed WhisperPair — showing how attackers can silently hijack protected audio devices, eavesdrop on conversations, disrupt audio output, and even track users’ locations without any interaction from the victim.

Google Fast Pair was introduced to make Bluetooth device setup quick and seamless; with a single tap, compatible accessories could connect to Android devices and ChromeOS machines without manual Bluetooth discovery. Fast Pair also enables integration with services like Google’s Find Hub, which lets users locate their accessories if lost. But the very ease that made Fast Pair popular appears to have created a significant security blind spot.

What the Vulnerability Is and How It Works

The WhisperPair vulnerabilities stem from improper implementations of the Fast Pair specification by accessory manufacturers. According to the researchers, accessories were failing to enforce a critical step in the Bluetooth pairing process: rejecting pairing requests when the device is not in pairing mode. In a correct implementation, a Fast Pair accessory should only accept new pairing requests when it is explicitly placed into pairing mode by the user.

However, many devices tested from major brands do not follow this rule. Instead, they allow pairing to proceed even when already connected to another host — a behavior the researchers exploited to force new pairings. To carry out a WhisperPair attack, an attacker simply needs to be within standard Bluetooth range (about 14 meters, roughly 46 feet in lab testing) and to know a device’s Model ID, a numeric identifier tied to the specific product.

Model IDs can be obtained in several ways: by purchasing the same model, by observing pairing attempts from legitimate hosts, or by querying a publicly available Google API that enumerates possible IDs. With this information, an attacker’s device can initiate a Fast Pair attempt that the vulnerable accessory accepts without warning. Once paired, the attacker gains full Bluetooth control, just as if the accessory had been legitimately added.

Possible Consequences of a Successful Attack

Depending on the accessory, the implications are serious:

• Hijacking Audio Output: An attacker can interrupt or take over audio streams, injecting their own sound at any volume.

• Eavesdropping via Microphone: For devices with built-in mics, attackers may activate audio capture without the victim’s knowledge.

• Stealthy Tracking: Perhaps most alarming, if a device supports Google’s Find Hub tracking feature — and has never been paired with an Android device before — the attacker can register the accessory to their own Google account. Once tied to Find Hub, the accessory’s location can be tracked as it moves through the physical world, relaying location data via the crowdsourced network of connected devices.

  
  

In real-world scenarios, victims might receive a delayed Find Hub alert, but it could misleadingly show the device as being “tracked” by the owner’s own account. This confusion could drive users to dismiss the warning as a system quirk, enabling tracking to continue unnoticed.

Scope: Brands and Devices Affected

The issue is widespread because Fast Pair has been widely adopted by accessory makers. Researchers tested 25 products from 16 vendors and found that a majority were vulnerable. Affected brands include major names like Sony, JBL, Jabra, Marshall, Xiaomi, Nothing, OnePlus, Soundcore, Logitech, and Google itself.

Some models — like Google’s Pixel Buds Pro 2 — suffered a distinct tracking risk if they had never previously been linked to a Google account.

Importantly, even iPhone users who have never paired their Bluetooth accessories with an Android device remain exposed, because the vulnerability exists in the accessory’s firmware — not in the phone’s operating system.

Responsible Disclosure and Patches

The WhisperPair vulnerabilities — tracked as CVE-2025-36911 — were responsibly disclosed to Google in August 2025, giving the company and hardware partners a 150-day window to develop mitigations. Google classified the issue as critical and awarded the researchers a maximum bug bounty of $15,000 for their findings.

Since disclosure, Google says it has worked with affected manufacturers on security updates. Many brands have issued firmware patches or are planning to do so, while Google itself has pushed out fixes for its own accessories and updated the Find Hub system to block certain tracking exploits.

However, researchers caution that many users will never install these updates. Unlike smartphones or laptops, Bluetooth accessories rarely prompt users to update firmware — and most people don’t even know that their headphones have upgradeable software. Often, installing updates requires installing a companion app on a phone or PC — another barrier many users never overcome.

The Bigger Picture: Convenience vs Security

The Fast Pair protocol was designed with ease of use at its core — minimizing friction in the Bluetooth setup process. But the WhisperPair findings illustrate a widespread problem in consumer tech: usability features layered on top of existing protocols can inadvertently weaken fundamental security guarantees.

The Bluetooth standard itself includes safeguards to restrict when and how devices can pair. But manufacturers — aiming for seamless experiences — skipped essential checks, and the Fast Pair certification process failed to catch these lapses. As a result, accessories shipped with vulnerabilities baked in that now require consumer action to fix.

For users, the only effective defense today is to check for firmware updates and install them promptly. Given the scale of the issue, experts also urge manufacturers and platform providers to rethink how automatic updates and security enforcement are handled for peripherals.