A critical vulnerability in Google\u2019s Fast Pair protocol that allows attackers to hijack Bluetooth audio accessories and track users without their knowledge or consent.\u200b<\/p>\n
Security researchers from KU Leuven have uncovered a vulnerability, tracked as CVE-2025-36911 and dubbed WhisperPair, that affects hundreds of millions of wireless earbuds, headphones, and speakers from major manufacturers.<\/p>\n
Including Sony, Anker, Google, Jabra, JBL, Logitech, Marshall, Nothing, OnePlus, Soundcore, and Xiaomi.<\/p>\n
Google classified the issue as critical and awarded the researchers the maximum possible bounty of $15,000.\u200b The flaw stems from the improper implementation of the Fast Pair protocol<\/a>.<\/p>\n According to the Fast Pair specification, Bluetooth accessories should ignore pairing requests when not in pairing mode.<\/p>\n However, many flagship devices fail to enforce this critical security check, allowing unauthorized devices to initiate the pairing process without user interaction.\u200b<\/p>\n Attackers can exploit WhisperPair using any standard Bluetooth-capable device such as a laptop, smartphone, or Raspberry Pi.<\/a><\/p>\n The attack succeeds within a median of 10 seconds at ranges up to 14 meters without requiring physical access to the vulnerable device.<\/p>\n Once paired, attackers gain complete control over the audio accessory, enabling them to play audio at high volumes or record conversations through the built-in microphone.\u200b<\/p>\n Additionally, if an accessory has never been paired with an Android device, attackers can add it to their own Google account and track the victim\u2019s location using Google\u2019s<\/a> Find Hub network.<\/p>\n The tracking notification that appears shows the victim\u2019s own device, which may lead users to dismiss the warning as a system bug<\/a>, allowing prolonged surveillance.\u200b<\/p>\n The vulnerability affects users across all platforms because the flaw exists in the accessories themselves, not in smartphones.<\/p>\n iPhone users with vulnerable Bluetooth devices face the same risks as Android users. Since Fast Pair functionality cannot be disabled on accessories, even users outside the Android ecosystem remain vulnerable.\u200b<\/p>\n The WhisperPair researchers reported<\/a> their findings to Google in August 2025, agreeing to a 150-day disclosure window for manufacturers to release security patches.<\/p>\n The only effective mitigation is installing firmware updates from device manufacturers.<\/p>\n While many manufacturers have released patches, software updates may not yet be available for all vulnerable devices.<\/p>\n Users should consult their accessory\u2019s manual for firmware update instructions and verify patch availability directly with manufacturers.\u200b<\/p>\n The WhisperPair vulnerability represents a systemic failure, as vulnerable devices passed both manufacturer quality assurance and Google\u2019s certification process before reaching the market at scale.\u200b<\/p>\n Follow us on Google News<\/a>, LinkedIn<\/a>, and X<\/a> for daily cybersecurity updates. Contact us<\/a> to feature your stories.<\/strong><\/p>\n The post WhisperPair Attack Allows Hijacking of Laptops, Earbuds Without User Consent \u2013 Millions Affected<\/a> appeared first on Cyber Security News<\/a>.<\/p>\n<\/div>\nCritical Flaw in Fast Pair Implementation<\/strong><\/h2>\n
![\"Attacker's](\"https:\/\/i0.wp.com\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEit3w3P0mPdKwNPqntTZ6DQJR9KEvKKbtUPHiktetwkeGhSzC2Y24OGd8EWDTaBwcm0AJeDFQ-bCNhHgC0ElAuv9vx-4-2ZeD4p2Nolut9JBCyz6v_XuPW2QJ8QEx2X7DuEj_AHBil1OkObkv3S0EVyqi3AaUpW1BTau3e9V2k9vPy3Klp4eGEP_0SHV-I\/s1600\/Screenshot%25202026-01-20%2520105824%2520%25281%2529.webp?ssl=1\")
![\"Unwanted](\"https:\/\/i0.wp.com\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEgmt0MjaNNv6JmekLSsNB9YYrql6GYo0Rzv8ueIDDtT-bZbL0aBb_sLyGJFiG8zbsrgdkA33IksqIihmnOWEzZFU5coEKJyvaolZ24t5XA8Y64UgjiDZkNgNjnIUqW3A2DSGRf-iBXKSd8BOK1eipFws3HL54M0puwAVS_8Ur6ycGeFunwmivyPsGxeN1w\/s1600\/Screenshot%25202026-01-20%2520105844%2520%25281%2529.webp?ssl=1\")
Cross-Platform Vulnerability<\/strong><\/h2>\n