A newly disclosed vulnerability dubbed WhisperPair could let attackers secretly pair with popular earbuds and headphones, seize control, and tap their microphones from across the room. The research, led by KU Leuven and first detailed by independent reporting, ties the issue to flawed implementations of Google’s Fast Pair protocol. The bug carries a critical designation under CVE-2025-36911, and the researchers received a $15,000 bounty after private disclosure.

What WhisperPair Exploits in Google’s Fast Pair Protocol

Fast Pair streamlines Bluetooth setup by letting a “seeker” device, like a phone or laptop, discover and quickly connect to a nearby “provider,” such as earbuds. The protocol expects accessories to accept pairing only when they’re explicitly in pairing mode. WhisperPair shows that many products skip this critical state check. If that guardrail is missing, an attacker can initiate pairing even when the accessory isn’t supposed to be available.

Table of Contents

What WhisperPair Exploits in Google’s Fast Pair Protocol
Who Is at Risk and Which Earbuds and Headphones Are Affected
What Attackers Could Do After Covertly Pairing to Devices
How to Fix It Now with Firmware Updates and Safety Steps
Why This Matters for Everyday Bluetooth Audio Security
What We Know About Coordination, Disclosure, and Patching

A tiny, skin-toned earpiece held between two fingers, next to a black inductive loop and two small, square, patterned adhesive patches, all on a white background.

Once a vulnerable device responds, the attacker can complete the process as a normal Bluetooth pairing. In tests, researchers demonstrated wireless attacks at distances up to roughly 14 meters, enough to cover many office spaces, cafés, classrooms, and airport gates.

Who Is at Risk and Which Earbuds and Headphones Are Affected

This is not an Android-only problem. The flaw resides in how accessories implement Fast Pair, so iPhone users with affected earbuds or headphones are exposed, too. Models from major brands including Google, Sony, Harman’s JBL, and Anker were identified among vulnerable products in the researchers’ testing catalog. Not every model is impacted; it depends on the firmware and how the vendor implemented the protocol.

The risk extends beyond eavesdropping. If an accessory supports Google’s device-finding network but hasn’t been registered by its owner, an attacker may be able to enroll it to their account and track its movements. Users may see a tracking alert, but the notification can be misleading, making it easy to dismiss.

What Attackers Could Do After Covertly Pairing to Devices

After covertly pairing, an adversary could control audio playback, change volume, and, most worrying, access on-device microphones to capture nearby conversations. Think of someone in a shared workspace or a busy terminal silently connecting to buds left open on a desk or worn during a call. The researchers emphasize that this is a real-world, over-the-air attack—not one requiring physical access—so the practical exposure is substantial.

A smartphone with a Bluetooth symbol in the center, surrounded by four colored circles representing different devices (a tablet, a smartwatch, earbuds, and another phone), all connected wirelessly.

How to Fix It Now with Firmware Updates and Safety Steps

The only reliable fix is a firmware update from the accessory maker. Patches are being issued on a product-by-product basis. Here’s what to do:

Open the accessory’s companion app (for example, from Google, Sony, JBL, or Anker) and check for firmware updates. Install any available update, even if your model is listed as “not vulnerable,” to ensure you have the latest protection.
Visit your brand’s support pages and the public device list released by the researchers to verify your model’s status. Use the catalog’s search to find vendor and product names and confirm whether a patch exists.
If your accessory supports a device-finding network, complete its setup so it’s associated with your own account, and monitor for unexpected tracking alerts.
Reset the accessory and re-pair it with your devices if you suspect unauthorized pairing. Keep earbuds in their case or powered off when not in use, especially in crowded environments.

Important: Disabling Fast Pair on your phone does not mitigate this issue. According to the researchers, accessories typically have Fast Pair enabled by default and do not offer a switch to turn it off; the flaw is in the accessory’s firmware logic, not your handset. A vendor patch is the only durable remedy.

Why This Matters for Everyday Bluetooth Audio Security

Bluetooth audio is everywhere. The Bluetooth Special Interest Group estimates that more than 5 billion Bluetooth devices ship annually, with true wireless earbuds among the fastest-growing categories. A flaw that lets an attacker silently pair and listen in turns a convenience feature into a surveillance risk, especially in settings where confidential discussions happen in public spaces or open-plan offices.

What We Know About Coordination, Disclosure, and Patching

KU Leuven’s team reported WhisperPair to Google under coordinated disclosure, which resulted in the critical CVE-2025-36911 classification and a $15,000 bug bounty. The researchers have published testing results for a range of earbuds and headphones and are urging manufacturers to ship firmware that strictly enforces pairing-mode checks as the protocol intends.

Until your specific model receives an update, assume that nearby attackers could attempt to pair without your knowledge. Keep your firmware current, treat unexpected tracking or pairing prompts as red flags, and avoid discussing sensitive matters over vulnerable earbuds. The fix is straightforward once released—install it promptly and verify the version in the companion app.