A newly disclosed vulnerability in Google’s Fast Pair protocol could allow an attacker to silently commandeer the Bluetooth headphones or earbuds you’re wearing right now, with no user interaction required. Tracked as CVE-2025-36911 and dubbed “WhisperPair” by the researchers who discovered it, this flaw enables attackers to forcibly pair with vulnerable wireless accessories that support Fast Pair, giving attackers microphone access and even allowing them to track victims’ locations through Google’s Find Hub network. The attack requires no specialized equipment, merely a phone or a laptop.
Researchers at KU Leuven’s Computer Security and Industrial Cryptography group uncovered the vulnerability. They found that numerous flagship audio accessories from Google, Jabra, JBL, Logitech, Marshall, Nothing, OnePlus, Sony, Soundcore, and Xiaomi fail to implement a fundamental security check required by the Fast Pair specification.
When a device attempts to initiate Fast Pair, the specification explicitly requires that accessories ignore such requests unless they’re actively in pairing mode. In practice, many products skip this verification entirely.
“The Fast Pair specification states that if the accessory is not in pairing mode, it should disregard such messages,” the researchers explained. “However, many devices fail to enforce this check in practice, allowing unauthorised devices to start the pairing process.”
This vulnerability isn’t a flaw in a single device or chipset. The researchers found vulnerable products across multiple vendors and hardware platforms. These devices passed both the manufacturer’s quality assurance and Google’s own certification process.
WhisperPair Can Track Your Location
Once paired, an attacker has complete control over the compromised accessory. They could activate the microphone to eavesdrop on conversations. However, the tracking implications are equally concerning. If the victim has never connected their accessory to an Android device, an attacker can add the accessory to their own Google account and monitor the victim’s location through the Find Hub crowdsourced tracking network. The victim may eventually receive an unwanted tracking notification, but it will display their own device as the culprit.
Critically, this vulnerability affects users regardless of their smartphone platform. Because the flaw resides in the accessories themselves rather than the connecting phone, iPhone users with vulnerable Bluetooth devices face identical risks.
Limited Remediation Options
Google classified the vulnerability as critical and awarded the researchers their maximum $15,000 bounty. After a 150-day coordinated disclosure window, many manufacturers have released firmware patches. Not all affected devices have updates available yet.
The only effective defense is to install firmware updates directly from the accessory manufacturers. Disabling Fast Pair on your Android phone won’t help, since the vulnerable behavior lives in the accessory’s firmware, and end users cannot toggle it off.
Visibility Into the Wireless Threat Landscape
Employees routinely bring wireless earbuds, headphones, and speakers into offices, conference rooms, and sensitive meeting spaces. As this research demonstrates, attackers can weaponize these devices without the owner’s knowledge.
Traditional endpoint security tools lack visibility into RF-based attacks. Bastille’s wireless intrusion detection platform continuously monitors the radio frequency spectrum to detect unauthorized Bluetooth pairing attempts, anomalous wireless behaviors, and alerts to their exact indoor location. Bastille can help organizations detect these events that would otherwise go unnoticed and enforce policies against their use. When an attacker attempts to exploit a vulnerability like WhisperPair within your airspace, Bastille provides the situational awareness security teams need to identify and respond to the threat before sensitive conversations are compromised.
