top of page
perceptive_background_267k.jpg

Critical WhisperPair flaw lets hackers track, eavesdrop via Bluetooth audio devices

Published:

15 January 2026 at 16:13:54

Alert date:

16 January 2026 at 07:00:54

Source:

bleepingcomputer.com

Click to open the original link from this advisory

Mobile & IoT, Zero-Day Vulnerabilities

A critical vulnerability in Google's Fast Pair protocol allows attackers to hijack Bluetooth audio accessories like wireless headphones and earbuds. The flaw enables threat actors to track users and eavesdrop on their conversations through compromised Bluetooth devices. This represents a significant privacy and security risk for users of Bluetooth audio accessories that utilize Google's Fast Pair technology for easy device pairing.

Technical details

The WhisperPair vulnerability affects Google's Fast Pair protocol implementation in Bluetooth audio devices. The flaw stems from improper implementation where devices fail to enforce the specification requirement to ignore pairing requests when not in pairing mode. Attackers can exploit this by sending Fast Pair messages to vulnerable accessories, receiving replies from devices that should have ignored the requests, and then completing regular Bluetooth pairing. The attack works from up to 14 meters away within seconds without user interaction. Once paired, attackers gain complete control over the audio device and can add unpaired devices to their Google account for location tracking via Google's Find Hub network.

Mitigation steps:

Install firmware updates from device manufacturers as the only defense against the attack. Disabling Fast Pair on Android phones does not prevent the attack since the feature cannot be disabled on the accessories themselves. Users should check with their device manufacturers for available security patches addressing CVE-2025-36911. Be aware that unwanted tracking notifications showing your own device may indicate exploitation and should not be dismissed as bugs.

Affected products:

Google Fast Pair enabled devices
Jabra audio devices
JBL audio devices
Logitech audio devices
Marshall audio devices
Nothing audio devices
OnePlus audio devices
Sony audio devices
Soundcore audio devices
Xiaomi audio devices
Wireless headphones with Fast Pair
Wireless earbuds with Fast Pair
Wireless speakers with Fast Pair

Related links:

https://www.cve.org/CVERecord?id=CVE-2025-36911
https://whisperpair.eu/
https://www.esat.kuleuven.be/cosic/

Related CVE's:

Related threat actors:

IOC's:

This article was created with the assistance of AI technology by Perceptive.

About us

© 2025 by Perceptive Security. All rights reserved.

email: info@perceptivesecurity.com

Disclaimer: Deze website toont informatie afkomstig van externe bronnen. Perceptive aanvaardt geen verantwoordelijkheid voor de inhoud, juistheid of volledigheid van deze informatie.

bottom of page