Researchers from the Cybersecurity and Industrial Cryptography team at KU Leuven have discovered a critical flaw in the Google Fast Pair protocol. The vulnerability allows attackers to hijack control of millions of Bluetooth devices, track users’ locations, and intercept conversations.
The issue, identified as CVE-2025-36911 and dubbed WhisperPair, affects hundreds of millions of wireless headphones and speakers from various manufacturers that support Fast Pair . The vulnerability affects the accessories themselves, not the smartphones, meaning that not only Android device owners, but also iPhone owners are vulnerable to this threat.
The root of the problem lies in the incorrect implementation of the Fast Pair protocol in many devices. Google’s specifications require Bluetooth devices to ignore pairing requests when not in pairing mode . However, many manufacturers have not implemented this mechanism in their products, allowing third-party devices to initiate pairing without the owner’s consent or knowledge.
“To initiate the Fast Pair process, the Seeker (phone) sends a message to the Provider (accessory) to indicate that it wishes to pair. According to the specifications, if the device is not in pairing mode, it should ignore such requests,” the researchers explain. ” However, in practice, many devices do not provide this control, allowing unauthorized devices to initiate the pairing process. After receiving a response from a vulnerable device, the attacker completes the Fast Pair process with a normal Bluetooth pairing.”
The WhisperPair attack can be exploited from any Bluetooth device: a laptop, a Raspberry Pi, or even a smartphone. The attacker forces pairing with vulnerable accessories from Google, Jabra, JBL, Logitech, Marshall, Nothing, OnePlus, Sony, Soundcore, and Xiaomi at a distance of up to 14 meters. No user interaction or physical access is required.
Once paired, the attacker gains full control of the audio device and can turn up the volume or use the microphone to eavesdrop on conversations . Additionally, the CVE-2025-36911 vulnerability allows the victim’s location to be tracked via the Find Hub network. If the accessory has never been connected to the Android device, it can be added to the attacker’s account.
“The victim may receive an unwanted tracking notification hours or days later, but it will display their device,” the researchers write. “Users may mistake this for a mistake and ignore it, giving the attacker the opportunity to continue tracking for an extended period of time.”
Google has paid the maximum reward of $15,000 to the researchers who discovered this vulnerability. Google has worked with device manufacturers to develop patches, but these are not yet available for all vulnerable devices.
The only defense against attacks on Fast Pair devices is installing the latest firmware provided by the manufacturer. Even disabling Fast Pair on Android smartphones doesn’t solve the problem, as this feature can’t be disabled directly from the accessories.
Follow us on Google News to receive daily updates on cybersecurity. Contact us if you would like to report news, insights or content for publication.
