Security researchers discovered CVE-2025-36911 (WhisperPair), a critical vulnerability in Google's Fast Pair protocol affecting hundreds of millions of Bluetooth audio devices. Attackers within 14 meters can forcibly pair with vulnerable headphones, earbuds, and speakers to eavesdrop, hijack audio, or track users via Google's Find Hub network.
Security researchers at KU Leuven's Computer Security and Industrial Cryptography group have uncovered a fundamental flaw in Google's Fast Pair protocol that compromises millions of Bluetooth audio devices. Dubbed WhisperPair (CVE-2025-36911), this vulnerability enables attackers to forcibly pair with vulnerable headphones, earbuds, and speakers without user interaction.
How the Exploit Works
The vulnerability stems from manufacturers failing to implement a critical safeguard in the Fast Pair specification. According to KU Leuven researchers: "The Fast Pair specification states that if an accessory is not in pairing mode, it should disregard pairing requests. However, many devices fail to enforce this check in practice."
This oversight allows attackers using any Bluetooth-enabled device (like a laptop or Raspberry Pi) to:
- Initiate unauthorized pairing within a 14-meter range
- Complete the connection in seconds without physical access
- Gain full control of the compromised audio device
Triple Threat Impact
Successful exploitation creates three distinct attack vectors:
- Eavesdropping: Attackers can remotely activate microphones on compromised devices to listen to conversations
- Audio Hijacking: Malicious actors can blast unwanted audio at maximum volume
- Location Tracking: Through Google's Find Hub network, attackers can monitor victims' movements if the device has never been paired with an Android phone
Notably, the tracking capability creates persistent risk. Researchers warn: "Victims might see an unwanted tracking notification after hours or days, but it appears as their own device. This often leads users to dismiss the warning as a bug."
Affected Devices and Vendor Response
The vulnerability impacts products from Google, Jabra, JBL, Logitech, Marshall, Nothing, OnePlus, Sony, Soundcore, and Xiaomi. Google awarded KU Leuven researchers its maximum $15,000 bounty and coordinated patches during a 150-day disclosure period. However, firmware updates remain unavailable for many affected devices.
Critical Protection Measures
- Prioritize firmware updates: Immediately check your device manufacturer's support page for Bluetooth accessory patches
- Understand mitigation limitations: Disabling Fast Pair in Android settings does not protect vulnerable accessories as the flaw resides in device firmware
- Monitor for tracking alerts: Investigate any unexpected "device found" notifications instead of dismissing them
This vulnerability uniquely impacts users across iOS and Android ecosystems since the flaw resides in the Bluetooth accessories themselves. Until manufacturers deliver comprehensive firmware updates, millions of devices remain exposed to silent takeover by nearby attackers.
For technical details, see the original KU Leuven research and Google's Fast Pair specification.
Comments
Please log in or register to join the discussion