Researchers uncover WhisperPair flaw that can hijack Bluetooth audio accessories

Researchers from Belgium's KU Leuven have disclosed WhisperPair, a family of vulnerabilities in implementations of Google's Fast Pair protocol used to connect headphones, earbuds and other audio accessories. The research, reported privately to Google in August 2025 and assigned CVE-2025-36911, finds many accessories skip a required check during Fast Pair.

A seeking device can send a pairing request that vulnerable providers accept even when not in pairing mode, allowing an attacker to complete a Bluetooth pairing and take control of the accessory. According to the team, attackers could tamper with controls, quietly record through built-in microphones and, in some cases, register a device to their own Google Find Hub account to track it; WhisperPair attacks were tested at ranges up to 14 meters.

The researchers published a catalog listing the products they tested, including devices from Google, Sony, Harman (JBL) and Anker, and note that both Android and iPhone users can be affected because the flaw lies in accessory implementations. The disclosure included a 150-day window and a $15,000 bug bounty, the outlet said.

Many vendors have issued patches but some accessories remain vulnerable. The team says the only reliable prevention is a firmware update from the manufacturer; disabling Fast Pair on a phone is not believed to mitigate the risk because compatible accessories enable Fast Pair by default without an option to turn it off.

Key Topics

Tech, Whisperpair, Fast Pair, Ku Leuven, Google, Sony