Security researchers have uncovered a serious Bluetooth vulnerability that could allow hackers to silently hijack wireless headphones, earbuds, and speakers — turning everyday audio devices into tools for spying and tracking.
The flaw, known as WhisperPair (CVE-2025-36911), was uncovered by researchers from the Computer Security and Industrial Cryptography (COSIC) group at KU Leuven University in Belgium.
It targets Google’s Fast Pair feature, a popular system designed to make Bluetooth pairing quick and effortless. Researchers say the same convenience that made Fast Pair successful has now exposed hundreds of millions of devices to significant privacy risks.
A Flaw Hidden Inside Accessories
The issue lies not in smartphones, but within the Bluetooth accessories themselves. According to COSIC researchers, many manufacturers failed to properly implement a basic security check required by the Fast Pair protocol.
In theory, Bluetooth accessories should only accept pairing requests when they are placed in “pairing mode.” In practice, many devices ignore this rule, allowing unauthorized devices nearby to initiate pairing forcefully without any user interaction or warning.
Once paired, attackers can gain full control of the accessory.
“To start the Fast Pair procedure, a Seeker (a phone) sends a message to the Provider (an accessory) indicating that it wants to pair. The Fast Pair specification states that if the accessory is not in pairing mode, it should disregard such messages,” the researchers said.
“However, many devices fail to enforce this check in practice, allowing unauthorised devices to start the pairing process. After receiving a reply from the vulnerable device, an attacker can finish the Fast Pair procedure by establishing a regular Bluetooth pairing.”
What Attackers Can Do
Using any Bluetooth-capable device — such as a phone, laptop, or Raspberry Pi — attackers can hijack vulnerable headphones from distances of up to 14 meters in less than 15 seconds. Once connected, researchers demonstrated that attackers can:
- Eavesdrop on conversations through built-in microphones
- Inject audio or blast sound at high volume
- Track a user’s location via Google’s Find Hub network
- Maintain access for days before the victim notices anything unusual
In some cases, users may eventually see tracking alerts that appear to come from their own device, making it easy to dismiss them as a glitch.
Who Is Affected
The researchers tested 17 Fast Pair–enabled audio devices from 10 major brands, including Sony, Jabra, JBL, Marshall, Xiaomi, Nothing, OnePlus, Soundcore, Logitech, and Google. More than two-thirds of the tested devices were vulnerable to forced pairing, and every successfully hijacked device allowed microphone access.
Alarmingly, the flaw also affects iPhone users, even if they’ve never owned an Android phone, because the vulnerability exists in the accessories themselves.
Google’s Response
Google awarded the researchers a $15,000 bug bounty, the highest possible, for discovering the flaw and coordinated with manufacturers during a 150-day disclosure period to develop fixes. The search giant says it has not seen evidence of real-world exploitation beyond lab testing.
While several manufacturers have released patches for their affected devices, software updates may not yet be available for every vulnerable device.
What Users Should Do Now
Currently, the only effective protection is installing a software update issued by the manufacturer of the accessory. Until patches are fully deployed, security experts recommend users to:
- Update headphones and earbuds using official manufacturer apps
- Keep smartphones fully updated
- Remove unused or unknown paired Bluetooth devices
- Turn off Bluetooth when not in use
- Avoid Bluetooth pairing in public places
- Reset and re-pair accessories after firmware updates
For people handling sensitive conversations or data, experts suggest using wired audio options until updates are confirmed.
