In the world of wireless headphones, there is a feature called Google Fast Pair, designed to connect earbuds and headphones to Android devices with a simple touch.
A recent discovery in cybersecurity has cast a shadow over this user-experience simplification feature: a group of researchers from the KU Leuven University in Belgium revealed the existence of a series of critical vulnerabilities collectively named WhisperPair.
These security flaws allow an attacker to take over, listen to, and even physically track users through their audio accessories, all without the victim noticing or interacting in any way with the device.
WhisperPair allows listening to and physically tracking users
The heart of the problem lies in the Google Fast Pair Service (GFPS), used by hundreds of millions of devices to facilitate pairing via Bluetooth Low Energy (BLE).
Normally, the pairing process should require that the accessory be in a specific pairing mode to accept new connections. The researchers, however, found that, due to an incorrect implementation of the protocol in numerous chipsets, this security check is often bypassed.
As a result, a malicious actor equipped with a simple laptop or a dedicated device can force a Fast Pair connection even if the earbuds are already in the user’s ears and are playing music.
Once the connection is established, the attacker gains full control of the accessory, able to inject disruptive sounds or, in a far more serious scenario, activate the built-in microphone to intercept private and ambient conversations.
From listening to stalking
The implications of WhisperPair go far beyond a simple privacy breach and extend to the User’s physical security. The researchers highlighted a particularly alarming scenario involving Google’s Find My Device network (or Find Hub), the system used to locate lost devices.
If an attacker manages to pair first with the accessory, or if the victim uses the headphones with a non-Android device (such as an iPhone) without ever registering them to a Google account, the hacker can register their own account as the legitimate ‘owner’ of the hardware.
In this scenario, the accessory becomes effectively a tracking device in the hands of the attacker. Leveraging Google’s vast localization network, the attacker can follow the victim’s movements in real time.
Although there are anti-stalking notifications designed to alert users to unwanted tracking, researchers note that these alerts could be confused with system errors, as they would indicate that your own headphones are tracking you.
Google has classified this vulnerability as critical, assigning it the code CVE-2025-36911, and has worked to distribute fixes, though researchers have demonstrated that some initial patches were bypassable within a few hours.
The challenge of updates and at-risk devices
Fixing this issue presents a significant challenge. Unlike smartphone OS updates, which occur centrally, the WhisperPair fix often requires a specific firmware update for the audio accessory.
This means the user must download the manufacturer’s own proprietary application for the headphones and manually install the update, a procedure that many consumers ignore or skip.
The researchers tested 25 commercial devices from 16 different manufacturers, finding that as many as 68% were vulnerable to the attack. The brands involved are among the most well-known in the industry, including Sony, JBL, Jabra, Marshall, Xiaomi, Nothing, OnePlus, Soundcore, Logitech and the same Google.
Although many manufacturers have already released or are working on software fixes after being alerted, the fragmentation of the IoT (Internet of Things) market makes it difficult to guarantee that all devices are secured promptly.
To check whether your device is at risk, it is essential to consult the manufacturer’s official communications. Below we provide the list of specific models that researchers confirmed to be vulnerable during their tests, noting that the list may not be exhaustive:
- Anker soundcore Liberty 4 NC
- Google Pixel Buds Pro 2
- JBL TUNE BEAM
- Jabra Elite 8 Active
- Marshall MOTIF II A.N.C.
- Nothing Ear (a)
- OnePlus Nord Buds 3 Pro
- Sony WF-1000XM5
- Sony WH-1000XM4
- Sony WH-1000XM5
- Sony WH-1000XM6
- Sony WH-CH720N
- Xiaomi Redmi Buds 5 Pro
