Researchers Reveal Fast Pair Earbud Tracking Flaw

Gregory Zuckerman
By Gregory Zuckerman
Technology
6 Min Read

A newly disclosed flaw in implementations of Google’s Fast Pair protocol could let attackers quietly connect to your earbuds or headphones and use them to follow your movements—or even eavesdrop. The issue, nicknamed WhisperPair by researchers at KU Leuven’s Computer Security and Industrial Cryptography group (COSIC), stems from the way many popular audio devices handle pairing requests, and fixes require firmware updates from device makers.

What WhisperPair Is and How the Attack Works

Fast Pair is designed to make Bluetooth pairing seamless by letting a “seeker” (your phone or laptop) find and connect to a “provider” (earbuds, headphones, speakers) with minimal friction. The Fast Pair specification is clear that providers should only accept pairing while in pairing mode. COSIC’s testing shows that many Fast Pair-enabled devices ignore that guardrail and accept new pairing attempts whenever they’re simply powered on.

Table of Contents
A pair of white wireless earbuds in their open charging case, presented against a professional flat design background with soft patterns and gradients.

That gap opens the door to WhisperPair. From standard Bluetooth range—roughly the span of a room—an attacker can initiate pairing within seconds, without physical access. Once latched on, the attacker may be able to play sounds through your earbuds, capture audio from on-device microphones on supported models, or enroll the hijacked accessory into Google’s Find My Device network for passive location tracking via nearby Android phones.

Security researchers briefed Google months ago and demonstrated the attacks against multiple brands. Although Bluetooth range is finite, in crowded spaces like transit hubs or offices, an adversary could operate close enough without drawing attention.

Who Is at Risk from the WhisperPair Fast Pair Flaw

The vulnerability affects certain Fast Pair implementations across major brands. COSIC confirmed impact on models such as Sony WH-1000XM6, Pixel Buds Pro 2, Jabra Elite 8 Active, and Soundcore Liberty 4 NC, with indications that additional devices are susceptible. Because this is an implementation problem, exposure varies by firmware version and manufacturer.

There’s an important nuance: the researchers found WhisperPair reliably targets accessories that have never been properly bonded to a device via Fast Pair. If your earbuds are already Fast Paired to your Android phone, you’re less likely to be exposed. Ironically, owners who only ever paired their headphones with iPhones or non-Fast Pair devices could be at higher risk until they apply a firmware fix, because the flawed Fast Pair behavior remains unused yet available.

A smartphone with a Bluetooth symbol in the center, surrounded by four colored circles representing different devices: a red rectangle for a tablet, a green square for a smartwatch, a yellow oval for headphones, and a blue blob for another phone. Wavy lines indicate wireless connection between the central phone and the surrounding devices. The background is a light blue with a subtle geometric pattern.

Android and iOS both now show alerts about unknown trackers, following a cross-industry anti-stalking initiative by Google and Apple. However, COSIC warns that warnings tied to compromised earbuds could be dismissed by users because the accessory appears to belong to them, masking the threat.

What Google and Device Manufacturers Are Saying

Google says it worked with the researchers to address the issue and that it has not seen evidence of exploitation beyond lab demonstrations. Crucially, remediation sits with device makers: they need to release firmware updates that enforce correct Fast Pair behavior, rejecting unsolicited pairing attempts unless the accessory is explicitly in pairing mode.

According to COSIC and independent reporting, many vendors have already begun shipping patches. That aligns with common consumer IoT security practice, where protocol-level guidance exists but device-side enforcement lags until a bug is publicized. Given the scale of the ecosystem—hundreds of millions of true wireless earbuds ship each year, according to market analysts like Counterpoint Research—even a small implementation flaw can ripple widely.

How to Protect Yourself from WhisperPair Right Now

  • Update your firmware: Open your accessory’s companion app—such as Sony Headphones Connect, Jabra Sound+, Soundcore, JBL Headphones, or the Pixel Buds app—and check for updates. Apply updates for each device you own.
  • Reboot and re-pair: After updating, reset the accessory if the vendor recommends it, then re-pair with your primary phone using Fast Pair to establish a secure bond.
  • Control pairing windows: Only put earbuds into pairing mode when you intend to connect. Keep them in their case when not in use; many cases power accessories down, reducing exposure.
  • Be mindful of proximity: Bluetooth attacks require closeness. Stay alert in crowded public places where an attacker could be within a few meters.
  • Watch for tracking alerts: If your phone warns that a device is moving with you—even if it looks like your own earbuds—review the details and, if in doubt, reset the accessory and update its firmware.

Why This Earbud Fast Pair Vulnerability Matters

WhisperPair shows how “convenience” features can widen attack surface when specifications are implemented loosely. Earbuds are personal, worn for hours, and travel everywhere—making them potent tracking beacons if abused. When combined with the vast, crowdsourced reach of the Find My Device network across billions of Android phones, the privacy stakes rise even if the attacker never touches your phone.

The silver lining is that the fix is straightforward: enforce pairing-mode checks in firmware and keep accessories current. Until those updates reach every affected model, a bit of vigilance—plus a trip to your headphones’ settings—goes a long way.

Exit mobile version