WhisperPair flaws in Fast Pair can let attackers hijack Bluetooth audio devices

Researchers from KU Leuven have disclosed WhisperPair, a family of vulnerabilities in implementations of Google’s Fast Pair protocol that are used to connect headphones, earbuds and other audio accessories to Bluetooth devices. The team, supported by Belgium’s Cybersecurity Research Program and first reported by Wired, says many accessories skip a required check during Fast Pair pairing.

A Bluetooth “seeker” can send a pairing request to a “provider” even when the accessory is not in pairing mode; if the accessory fails to ignore that message, an attacker can complete the Fast Pair flow and establish regular Bluetooth pairing. The issue was reported to Google in August 2025 and issued the critical CVE-2025-36911; the researchers agreed a 150-day disclosure window and received a $15,000 bug bounty.

The researchers say an attacker who covertly pairs to a vulnerable device can tamper with controls such as volume, potentially record conversations using built-in microphones, and — if the device supports but is not registered to Google’s Find Hub network — could register and track the accessory.

Tests showed attacks can be carried out wirelessly at ranges up to about 14 metres. The published list of tested products names devices from Google, Sony, Harman (JBL) and Anker as vulnerable; both Android and iPhone users with affected accessories can be at risk. The research team has published a searchable catalog so owners can check their model and see patch status.

Key Topics

Tech, Whisperpair, Fast Pair, Ku Leuven, Google, Bluetooth Accessories