In the world of wireless headphones, there is a feature called Google Fast Pair, designed to connect earbuds and headphones to Android devices with a simple touch.
A recent discovery in cybersecurity has cast a shadow over this user-experience simplification feature: a group of researchers from the KU Leuven University in Belgium revealed the existence of a series of critical vulnerabilities collectively named WhisperPair.
These security flaws allow an attacker to take over, listen to, and even physically track users through their audio accessories, all without the victim noticing or interacting in any way with the device.
The heart of the problem lies in the Google Fast Pair Service (GFPS), used by hundreds of millions of devices to facilitate pairing via Bluetooth Low Energy (BLE).
Normally, the pairing process should require that the accessory be in a specific pairing mode to accept new connections. The researchers, however, found that, due to an incorrect implementation of the protocol in numerous chipsets, this security check is often bypassed.
As a result, a malicious actor equipped with a simple laptop or a dedicated device can force a Fast Pair connection even if the earbuds are already in the user’s ears and are playing music.
Once the connection is established, the attacker gains full control of the accessory, able to inject disruptive sounds or, in a far more serious scenario, activate the built-in microphone to intercept private and ambient conversations.
The implications of WhisperPair go far beyond a simple privacy breach and extend to the User’s physical security. The researchers highlighted a particularly alarming scenario involving Google’s Find My Device network (or Find Hub), the system used to locate lost devices.
If an attacker manages to pair first with the accessory, or if the victim uses the headphones with a non-Android device (such as an iPhone) without ever registering them to a Google account, the hacker can register their own account as the legitimate ‘owner’ of the hardware.
In this scenario, the accessory becomes effectively a tracking device in the hands of the attacker. Leveraging Google’s vast localization network, the attacker can follow the victim’s movements in real time.
Although there are anti-stalking notifications designed to alert users to unwanted tracking, researchers note that these alerts could be confused with system errors, as they would indicate that your own headphones are tracking you.
Google has classified this vulnerability as critical, assigning it the code CVE-2025-36911, and has worked to distribute fixes, though researchers have demonstrated that some initial patches were bypassable within a few hours.
Fixing this issue presents a significant challenge. Unlike smartphone OS updates, which occur centrally, the WhisperPair fix often requires a specific firmware update for the audio accessory.
This means the user must download the manufacturer’s own proprietary application for the headphones and manually install the update, a procedure that many consumers ignore or skip.
The researchers tested 25 commercial devices from 16 different manufacturers, finding that as many as 68% were vulnerable to the attack. The brands involved are among the most well-known in the industry, including Sony, JBL, Jabra, Marshall, Xiaomi, Nothing, OnePlus, Soundcore, Logitech and the same Google.
Although many manufacturers have already released or are working on software fixes after being alerted, the fragmentation of the IoT (Internet of Things) market makes it difficult to guarantee that all devices are secured promptly.
To check whether your device is at risk, it is essential to consult the manufacturer’s official communications. Below we provide the list of specific models that researchers confirmed to be vulnerable during their tests, noting that the list may not be exhaustive:
More than half of the world's governments today have at their disposal sophisticated commercial spyware…
A few hours after OPPO's event (which saw the launch of a slew of novelties…
The period from April 22 to April 28 is dedicated to the best tech products…
After the debut of Edge 70 and Edge 70 Fusion, it is time to say…
Lightness and versatility, without sacrificing professional performance: these are the characteristics of DJI Mic 3,…
The latest rumors reveal that the Taiwanese company is developing a high-end product named ASUS…