WhisperPair: Critical Fast Pair Flaw Exposes Headphones to Hijacking

Your high-end Bluetooth headphones might be listening to more than just your music. A new report from Researchers with KU Leuven’s Computer Security and Industrial Cryptography group has unveiled a critical flaw in the Google Fast Pair standard, leaving hundreds of millions of flagship audio devices open to hijacking and tracking.

Dubbed WhisperPair, this family of attacks exploits a “chain of compliance failures” in how manufacturers implement Google’s convenient one-tap pairing technology.

Google Fast Pair was designed for convenience, allowing Android users to connect accessories with a single tap. However, the researchers discovered that this ease of use came at a steep security cost. By neglecting a critical step in the pairing verification process, many device manufacturers have inadvertently created a backdoor for attackers.

The attack mechanism is simple. An attacker using commodity hardware can force a pairing request to a vulnerable device within Bluetooth range—without the user ever knowing.

“The consequences of WhisperPair are severe, allowing an attacker to pair with a vulnerable device in seconds. The attack can be performed using commodity hardware and does not require user interaction.”

Once paired, the implications go far beyond a mere nuisance. The attacker gains complete control over the accessory. They can blast audio at high volumes, or potentially more sinisterly, use the device’s microphone to eavesdrop on conversations.

Perhaps most concerning is the potential for physical stalking. The report notes that in certain scenarios, an attacker could add the compromised accessory to the “Find Hub Network” using a malicious account, effectively turning the victim’s own headphones into a tracking beacon.

The researchers emphasize that this isn’t just a coding bug; it’s a breakdown in the certification ecosystem. The vulnerability slipped past checks at the implementation, validation, and certification levels.

“This shows a chain of compliance failures in Google Fast Pair, as the vulnerability failed to be detected on all three levels: implementation, validation, and certification.”

The team reported the issue to Google in August 2025. Recognizing the severity, Google classified it as critical (CVE-2025-36911) and awarded the researchers a $15,000 bounty.

While Google has worked with partners during a 150-day disclosure window to push fixes, the solution isn’t universal. Because the flaw lies in the firmware of the accessories themselves, users are at the mercy of individual manufacturers to release updates.

Security experts recommend that users of Fast Pair-enabled devices immediately check their manufacturer’s companion apps for firmware updates to ensure they aren’t vulnerable to this silent takeover.

Related Posts:

• The End of AirPods’ Monopoly: Apple to Unlock Proximity Pairing and Smartwatch Replies
• Apple vs. EU: AirDrop, AirPlay & Seamless Pairing at Risk in Europe!
• “Headphone Jacking”: Critical Flaws in Popular Earbuds Let Hackers Hijack Your Phone
• Researcher found a new attack vector,MOSQUITO that can allows Air-Gapped Computers to masked Exchange Data