Researchers from the Computer Security and Industrial Cryptography (COSIC) group at KU Leuven have disclosed a critical Google Fast Pair vulnerability, tracked as CVE-2025-36911 and dubbed WhisperPair. The flaw allows attackers to silently take over millions of Bluetooth headphones and speakers, force connections, track users’ movements and, in some cases, activate microphones for covert eavesdropping.
What is Google Fast Pair and why WhisperPair is so dangerous
Google Fast Pair is a convenience protocol designed to make pairing Bluetooth accessories with phones almost effortless. When a compatible device is nearby, Android smartphones automatically detect it and display a one-tap pairing prompt. Thanks to this simplicity, Fast Pair is implemented in hundreds of millions of wireless earbuds, headphones and speakers from multiple brands.
The WhisperPair vulnerability affects the accessories themselves, not the phones. As a result, the risk is not limited to Android users: anyone using Fast Pair–enabled Bluetooth headsets, including iPhone and laptop owners, may be exposed if their accessory firmware is vulnerable.
How the WhisperPair vulnerability compromises Google Fast Pair
Specification vs. real‑world Fast Pair implementations
According to Google’s Fast Pair specification, an accessory must ignore pairing requests unless it is explicitly placed into pairing mode by the user—for example by pressing a button on the charging case or holding a key combination. This requirement is meant to ensure that only deliberate, user-initiated pairings are possible.
The COSIC analysis showed that many manufacturers either did not implement this check at all or implemented it incorrectly. On affected models, the accessory responds to Fast Pair requests even when it is not in pairing mode and the user has not tried to connect a new device.
Fast Pair uses a “Seeker–Provider” model, where the phone or computer (Seeker) sends a pairing request to the accessory (Provider). Properly implemented devices should discard such messages unless they are ready to pair. Vulnerable devices, however, respond and allow the attacker to continue the process, ultimately completing a standard Bluetooth pairing sequence without any user interaction.
Realistic attack scenarios and technical requirements
Exploiting WhisperPair (CVE-2025-36911) does not require specialized equipment. An attacker can use an ordinary laptop, smartphone, or a small single-board computer such as a Raspberry Pi—anything with a Bluetooth radio is sufficient. Within a range of up to approximately 14 meters, the attacker can forcibly pair with susceptible accessories.
Tests indicate that devices from multiple major brands are affected, including Google, Jabra, JBL, Logitech, Marshall, Nothing, OnePlus, Sony, Soundcore, Xiaomi and others that rely on Fast Pair. No physical access to the headset or speaker is required; it only needs to be powered on and within Bluetooth range.
From eavesdropping to tracking: security and privacy impact
Once a stealth pairing has succeeded, the attacker gains extensive control over the audio device. They can connect to the headphones, change volume levels (for example, abruptly raising the volume to cause discomfort or distraction), and—on models that support it—silently activate the built‑in microphone to capture nearby conversations.
This creates a significant risk in offices, meeting rooms, shared workspaces and other environments where Bluetooth headsets are used for discussing confidential business or personal information. The same threat model applies to professions that regularly handle sensitive data in public spaces, such as journalists, lawyers and healthcare professionals.
Beyond eavesdropping, WhisperPair also introduces a tracking vector through the Find Hub network used by Google’s device-finding ecosystem. Researchers demonstrated that if a Fast Pair accessory has never been paired with an Android device before, an attacker can silently add it to their own account and then use it as a tracker. The legitimate owner may only receive an “unwanted tracking” notification after several hours or even days, and the alert can misleadingly reference the victim’s own device, making it easy to dismiss as a glitch.
Scope of CVE-2025-36911 and industry response
According to the research team, WhisperPair potentially affects hundreds of millions of Bluetooth headphones and speakers worldwide. The scale is comparable to earlier large Bluetooth security incidents such as BlueBorne and KNOB, underscoring how deviations from protocol specifications in vendor implementations can create systemic risks.
Google has acknowledged the issue, assigned the identifier CVE-2025-36911, and awarded the researchers the maximum bounty for this class of vulnerability—USD 15,000—under its bug bounty program. Together with manufacturers, Google has prepared firmware updates, but patches are not yet available for all models. As is often the case, older or low-cost devices are at particular risk of never receiving a security update.
How to protect Bluetooth accessories from the WhisperPair exploit
At this time, the only comprehensive mitigation against WhisperPair is to install updated firmware provided by the accessory manufacturer. Users should regularly check for updates in vendor apps (such as those from JBL, Sony, Jabra and others) or in system settings if the accessory supports over‑the‑air (OTA) firmware updates.
It is important to note that disabling Google Fast Pair on an Android phone does not remove the vulnerability, because the flaw resides in the accessory’s firmware. Even with Fast Pair turned off on the handset, a vulnerable headset or speaker can still be forcibly paired by an attacker using another device.
In addition to installing firmware updates, the following risk-reduction practices are advisable:
- Avoid leaving Bluetooth headsets and speakers unattended in public or semi-public spaces.
- Monitor unexpected behavior such as sudden volume changes, unexplained connections, or audio interruptions.
- Regularly review the list of paired devices on phones, laptops and tablets, and remove any unknown or unused entries.
- For organizations, include Bluetooth accessories in asset inventories, threat models and patch management processes, and prioritize vendors with transparent, long-term security support policies.
WhisperPair (CVE-2025-36911) illustrates that seemingly secondary devices—wireless earbuds, speakers and other accessories—can become a critical weak link in overall cybersecurity. Consistently updating firmware, paying attention to tracking alerts, and selecting products with clear security support commitments significantly reduces the risk of Bluetooth hijacking and tracking, both for individual users and for organizations that rely on wireless audio in daily operations.
