WhisperPair Flaw Enables Bluetooth Hijacking and Tracking

Researchers at KU Leuven report a flaw dubbed WhisperPair in the Google Fast Pair Bluetooth protocol. 

This bug lets hackers take over Bluetooth audio devices like headphones and speakers and affects thousands of products from brands like Sony, JBL, and Xiaomi.

The flaw, tracked as CVE-2025-36911 (CVSS score 7.1), is caused because many devices do not follow the protocol ruleset. Per the Fast Pair protocol, a device should ignore pairing requests if it is not in pairing mode. However, many products accept these requests anyway even if they are not in pairing mode. This lets a hacker start and finish a pairing process without the user ever knowing or touching the device.

Hackers can use a laptop or a Raspberry Pi to break in from up to 14 meters away. The attack takes about 10 seconds. Once they link to the device, they have full control. They can play sounds or listen in to conversations through the device's microphone. They do not need to be near the user to do this. The following data and functions are exposed:

• Microphone audio and private conversations
• Device location via the Find Hub network
• Control over audio playback and volume
• Google account association

The bug also lets hackers track users through Google's Find Hub network. If a user has never linked their device to an Android phone, a hacker can add the device to their own Google account. The victim might see a tracking alert later, but it will show their own device. Many users might think this is just a bug, letting the hacker keep tracking them for a long time.

Google worked with makers to release patches during a 150-day window. Users must install firmware updates from the device manufacturer to fix the flaw. Turning off Fast Pair on a phone does not stop the attack because the flaw is on the accessory (mostly headphones). Users should check for updates through the official app for their headphones or speakers.