A team of researchers from KU University in Leuven, Belgium, recently uncovered a family of critical vulnerabilities affecting the Bluetooth audio accessory ecosystem, collectively called WhisperPair. These security flaws exploit the weaknesses inherent in the implementation of Google Fast Pair, the technology designed to facilitate immediate synchronization between devices and accessories (true-wireless earphones, headphones and speakers), transforming a feature designed to make life easier for the user into a potential cyber attack vector.
Studies conducted by researchers indicate that the problem is not limited to a single manufacturer, but represents a systemic failure involving hundreds of millions of devices currently on the market, including flagship products such as the Google Pixel Buds Pro 2, Sony WH-1000XM series headphones (including the XM4, XM5 and XM6 versions) and products from brands such as OnePlus and Nothing. According to the researchers, an attacker within 14 meters can force pairing with the victim’s headphones, earphones or speakers without any physical interaction and without the user even being aware of it. Once the connection is established, the attacker gains complete control of the accessory, being able to play sounds at high volume, intercept ambient audio via the integrated microphone or, an even more insidious scenario, track the victim’s physical location using Google’s global Find Hub network.
It is essential to underline that this vulnerability resides in the firmware of the accessory itself and not in the smartphone: this means that iPhone users who use these headphones are also exposed to the same risk, and the only definitive solution is not to update the phone or disable Bluetooth, but to install specific firmware updates released by the manufacturers of the audio accessories in question.
WhisperPair: how insidious the flaw is
Going into the technical merit of how the WhisperPair attack develops, we must take a step back and understand in broad terms how the communication protocol between devices works. Normally, to start the Fast Pair procedure, a “seeker” device (such as a smartphone) sends a message to a “provider” device (the audio accessory) indicating its intention to pair. According to security specifications, the provider device should ignore such requests if it has not been explicitly placed in “pairing mode” by the user (usually by pressing a physical button). The researchers, however, found that «many devices fail to enforce this control in practice, allowing unauthorized devices to initiate the pairing process». An attacker, using common hardware (a laptop, a Raspberry Pi, etc.) and placing himself within a range of 14 meters, can exploit this lack of verification to establish a standard Bluetooth connection in a median of just 10 seconds, completely bypassing the user’s consent.
The privacy implications become even more delicate when you consider the integration with Google’s Find Hub network, the system used to find lost devices through crowdsourced geolocation. The protocol requires that, upon first pairing with an Android device, an “account key” is written on the accessory which establishes ownership. If the victim uses the headphones exclusively with non-Android devices (for example, an iPhone or a PC) or has never associated them with a Google account on an Android device, the accessory remains without a registered owner. In this scenario, the attacker can inject his own key, registering himself as the legitimate owner. From that moment, it can monitor the victim’s movements through the Find Hub network. Although the system can send a notification of “unwanted tracking” to the victim after a few hours or days, it will paradoxically point to the victim’s device as the source, leading the user to dismiss the warning as a software error, while the tracking continues undisturbed.
The gravity of the situation is amplified by the fact that these devices have passed both the manufacturers’ quality controls and Google’s certification process, highlighting a flaw in the industrial-level security verification chain. Google, informed of the problem in August 2025, after having classified the vulnerability as critical (CVE-2025-36911), could «work with your ecosystem partners to release security patches». At least, this is what we read in the report drawn up by the researchers.
How to protect yourself from cyber attacks
To effectively protect yourself from WhisperPair, it is imperative to understand that updating your smartphone’s operating system, be it Android or iOS, does not solve the root problem. Even restoring the headphones to their factory settings isn’t a solution, as it only removes the existing pairings but doesn’t fix the code flaw that allows the intrusion. The only real defense is to update the firmware of the vulnerable accessory. This is the advice that security researchers themselves give:
The only way to resolve this vulnerability is to install a software update released by the accessory manufacturer. While many manufacturers have released patches for affected devices, software updates may not yet be available for all vulnerable devices. We encourage researchers and users to check patch availability directly with the manufacturer.
