Bluetooth earbuds built for quick tap-and-go pairing are facing a new security reckoning. Security researchers from KU Leuven have revealed WhisperPair, a set of flaws tied to how many audio accessories implement Google’s Fast Pair protocol, enabling attackers to hijack earbuds, manipulate controls, and even track users through Google’s device-finding network. The issue has been assigned a critical severity under CVE-2025-36911, and while Google awarded a bug bounty for the discovery, the fix ultimately rests with accessory makers.
How Fast Pair flaws let attackers hijack vulnerable earbuds
Fast Pair was designed to eliminate pairing friction by letting a “seeker” device, such as a phone, quickly connect to a “provider” like earbuds and sync them across the owner’s account. KU Leuven’s team, backed by a national cybersecurity program, found that many earbuds and headphones skip a critical verification step: they accept Fast Pair messages even when they’re not in pairing mode. Wired first reported the findings, which impact products from major brands.
That implementation gap creates a door for nearby attackers. By spoofing a legitimate seeker, an adversary within wireless range can initiate and complete pairing with a vulnerable accessory, then proceed to full Bluetooth pairing without the user’s consent.
How WhisperPair exploits Fast Pair to seize accessory control
In a normal flow, an accessory should ignore Fast Pair requests unless it’s explicitly in pairing mode. WhisperPair abuses devices that fail to enforce that state check. Once a vulnerable earbud replies, the attacker can finish the handshake, seize control of playback and volume, and potentially access microphones if the model supports calls or voice assistants. The researchers demonstrated working attacks up to roughly 14 meters away—enough to target commuters in a café, office, or train car.
The surveillance risk doesn’t stop at audio. If an accessory supports Google’s Find My Device network and hasn’t been registered by its owner, an attacker could register it to their own account to track the accessory’s location. Victims may receive a generic notification but might dismiss it if it appears to reference their own hardware.
Which devices and users are exposed across platforms
This is not an Android-only issue. Because the flaw lives in accessory firmware, iPhone users with impacted earbuds are equally exposed. The research team’s tests include popular models from Google, Sony, Harman’s JBL, and Anker, among others. Products that fully follow the Fast Pair spec are not vulnerable; the danger lies in inconsistent implementations across the ecosystem.
Importantly, disabling Fast Pair on your phone does not fix the problem. Most accessories have Fast Pair enabled by default with no user-facing toggle. The only reliable remedy is updated firmware from the manufacturer that enforces pairing-mode checks correctly.
Immediate steps to update and mitigate WhisperPair risks
Update your earbuds immediately. Open the vendor’s companion app—such as Sony Headphones Connect, JBL Headphones, Google Pixel Buds, or Anker Soundcore—check for firmware updates, and enable automatic updates where available. If your model supports over-the-air updates, keep the case charged and the buds connected until the process completes.
Confirm your model’s status using the researchers’ published database of tested accessories. If your product is listed as vulnerable, install any patch the moment it appears. If it’s marked not vulnerable, verify you’re on the latest firmware anyway, as model variants often differ by region and revision.
Reduce tracking exposure. If you use Android and plan to keep the accessory, register it to your own Google account within the Find My Device ecosystem to prevent a malicious first registration by an attacker. Periodically review connected accounts and remove unknown pairings. If you notice odd behavior—sudden volume changes, unexpected connection prompts, or unexplained battery drain—factory reset the accessory and re-pair it.
Limit the attack window when practical. Keep earbuds in their case when not in use, turn off power if your model allows it, and avoid accepting unexpected pairing prompts in crowded environments. These steps are not a substitute for a firmware fix, but they can reduce casual hijacking attempts.
Why these Fast Pair flaws pose serious privacy risks
Earbuds are intimate devices: they live in our ears, host microphones, and follow us everywhere. WhisperPair shows how small gaps in specification adherence can cascade into real-world privacy risks. The flaw has a CVE and a critical rating, and Google recognized the severity with a $15,000 bounty—yet the ecosystem fix requires dozens of vendors to ship patches and users to install them.
If you rely on wireless audio, treat this like any other urgent security advisory. Check your model, update now, and watch for vendor bulletins from brands like Google, Sony, JBL, and Anker. Until patches are widespread, the safest assumption is that unpatched earbuds within about 14 meters could be silently taken over by anyone motivated enough to try.
