WhisperPair Vulnerability Exposes Millions of Bluetooth Devices to Hijacking and Tracking

Security researchers from KU Leuven's Computer Security and Industrial Cryptography group have uncovered a fundamental vulnerability in Google's Fast Pair protocol that affects hundreds of millions of Bluetooth audio devices across major manufacturers. The flaw, tracked as CVE-2025-36911 and nicknamed "WhisperPair," exposes a design oversight that allows attackers to hijack wireless headphones, earbuds, and speakers without any user interaction.

The WhisperPair Mechanism

The vulnerability stems from a simple but critical implementation failure in how manufacturers handle Fast Pair discovery messages. According to the Fast Pair specification, when a device receives a pairing request, it should only respond if explicitly placed into pairing mode. This prevents unauthorized devices from initiating unwanted connections.

However, the research team discovered that numerous flagship audio accessories skip this essential check. As the KU Leuven researchers explained: "To start the Fast Pair procedure, a Seeker (a phone) sends a message to the Provider (an accessory) indicating that it wants to pair. The Fast Pair specification states that if the accessory is not in pairing mode, it should disregard such messages. However, many devices fail to enforce this check in practice."

This oversight creates a dangerous attack vector. An attacker within 14 meters can use any Bluetooth-capable device—laptop, Raspberry Pi, or smartphone—to scan for vulnerable accessories. When a vulnerable device responds to the discovery probe, the attacker completes the Fast Pair handshake, establishing a regular Bluetooth connection with full privileges.

Attack Scenarios and Impact

Once paired, attackers gain complete control over the audio device. The most immediate threats include:

Audio Hijacking: Attackers can blast high-volume audio through the device, potentially causing hearing damage or creating public disturbances. This could be used to harass victims or mask other malicious activities.

Eavesdropping: With microphone access, attackers can turn the device into a listening implant. Since many premium headphones have quality microphones, this provides clear audio surveillance of the victim's environment.

Location Tracking: Perhaps the most insidious abuse involves Google's Find Hub network. If a vulnerable accessory has never been paired with an Android device, an attacker can pair it and immediately add it to their own Google account. The device then reports its location to the attacker through Find Hub.

The tracking notification system contains a critical UX flaw. Victims eventually receive a warning about an unknown tracker following them, but the notification displays the victim's own device name. This contradiction leads many users to dismiss it as a system bug, allowing attackers to maintain surveillance for extended periods.

Affected Platforms and Manufacturers

WhisperPair affects devices regardless of the host smartphone's operating system. iPhone users with vulnerable Bluetooth accessories face identical risks as Android users. The vulnerability exists in the accessory firmware, not the phone OS.

Confirmed affected manufacturers include:

• Google (Pixel Buds)
• Jabra (Elite series)
• JBL (various wireless models)
• Logitech (UE and other audio products)
• Marshall (Bluetooth speakers and headphones)
• Nothing (Ear earbuds)
• OnePlus (Buds series)
• Sony (WF and WH series)
• Soundcore (Anker audio products)
• Xiaomi (various Bluetooth audio devices)

This list represents major brands covering the majority of the premium Bluetooth audio market.

Remediation and Mitigation

Google responded swiftly to the disclosure, awarding the researchers the maximum bug bounty of $15,000. The company coordinated with manufacturers during the standard 150-day disclosure window to develop and release patches.

However, patching Bluetooth accessories presents unique challenges:

1. Firmware Update Process: Unlike smartphones, most Bluetooth devices lack automatic update mechanisms. Users must often use manufacturer-specific mobile apps to initiate updates, which requires awareness of the vulnerability.

2. Update Availability: As of the disclosure, not all manufacturers have released patches. Some older models may never receive updates, leaving them permanently vulnerable.

3. No User Workaround: Disabling Fast Pair on Android phones does not protect against the attack. The vulnerability exists in the accessory firmware, which cannot be reconfigured by users.

What Users Should Do

Immediate Actions:

• Check manufacturer websites or support apps for firmware updates for your Bluetooth audio devices
• Be cautious about pairing requests or unexpected device behavior
• Review paired devices in your phone's Bluetooth settings and remove unknown connections

Long-term Considerations:

• When purchasing new Bluetooth accessories, verify the manufacturer's security update policy
• Consider devices from vendors with strong security track records and long-term support commitments
• Be aware that Bluetooth accessories may become security liabilities without ongoing firmware support

Broader Implications

WhisperPair highlights a systemic issue in the IoT and accessory ecosystem. The Fast Pair specification was properly designed with security in mind, but the implementation gap between specification and product creates widespread vulnerability.

This pattern repeats across many IoT protocols. Specifications may mandate security checks, but manufacturers often prioritize convenience and compatibility over strict security enforcement. The result is a fragile ecosystem where one implementation flaw affects millions of devices across multiple brands.

The tracking abuse also reveals how legitimate features can be weaponized. Google's Find Hub provides valuable functionality for locating lost devices, but the notification system's design inadvertently helps attackers evade detection.

For the security community, WhisperPair demonstrates the importance of auditing not just protocol specifications, but actual implementations across diverse hardware. Protocol-level security means nothing if manufacturers don't enforce the rules in their firmware.

The vulnerability serves as a reminder that Bluetooth accessories are not just passive peripherals—they are computing devices with their own firmware, memory, and wireless capabilities that require the same security attention as smartphones and computers.