WhisperPair flaws in Fast Pair let attackers hijack Bluetooth audio devices

Researchers at KU Leuven disclosed WhisperPair, a set of vulnerabilities in the implementation of Google's Fast Pair protocol used to connect Bluetooth headphones, earbuds and other audio accessories. The team says the flaw can let an attacker hijack a device and potentially record conversations made with its built‑in microphone.

According to the researchers, WhisperPair arises when many accessories skip a required check during Fast Pair pairing: a seeker (a Bluetooth-enabled mobile device) sends a pairing request to a provider (the accessory), and vulnerable devices do not ignore such requests when they are not in pairing mode.

The issue was reported privately to Google in August 2025, given the critical label CVE-2025-36911, disclosed after a 150-day window, and earned a $15,000 bug bounty. If an attacker can complete the Fast Pair exchange with a vulnerable accessory, they can establish a regular Bluetooth pairing and obtain control over the device, including tampering with controls such as volume and quietly recording audio, the researchers say.

Tests reached up to 14 metres. The team also warns attackers could register an unregistered device to their own account on Google’s Find Hub network and track its user; an unexpected tracking notification may be ignored because only the user’s own device will be shown.

Key Topics

Tech, Whisperpair, Fast Pair, Google, Ku Leuven, Bluetooth