.png){kind=logo}
2 hours ago
2
Follow ZDNET: Add us as a preferred source on Google.
ZDNET's key takeaways
- WhisperPair vulnerabilities impact a protocol for connecting devices and audio products.
- Attackers can take over an audio device, tamper with controls, and potentially listen to your conversations.
- Many vendors have released patches, but some devices are still vulnerable
Researchers have disclosed WhisperPair, a family of vulnerabilities that impact a protocol commonly used to pair headphones, earbuds, and other audio products with Bluetooth devices.
Also: Your Windows PC needs this patch to ward off nasty bootkit malware - update now
What is WhisperPair?
As first reported by Wired, WhisperPair was uncovered by a team of researchers from Belgium's KU Leuven University, supported by the government's Cybersecurity Research Program.
The findings relate to the improper implementation of Google's Fast Pair protocol, which enables one-tap pairing and account synchronization across Bluetooth accessories. If the protocol hasn't been implemented correctly, a security flaw is introduced that "allows an attacker to hijack devices and track victims using Google's Find Hub network," according to the researchers.
Also: How this one-click Copilot attack bypassed security controls - and what Microsoft did about it
The vulnerability research was reported to Google privately in August 2025 and was issued a critical rating under CVE-2025-36911. A 150-day disclosure window was agreed and a bug bounty of $15,000 was awarded.
How does WhisperPair work?
WhisperPair occurs because many audio accessories skip a "critical step" during Fast Pair pairing. This is how it works: a "seeker" -- such as a Bluetooth-enabled mobile device -- sends a message to the "provider," an audio accessory. The message includes a pairing request.
While the Fast Pair protocol specifies that these messages should be ignored when an accessory is not in pairing mode, this check is not always performed, allowing unauthorized devices to initiate pairing without permission.
Also: The best earbuds of 2026: Expert tested and reviewed
"After receiving a reply from the vulnerable device, an attacker can finish the Fast Pair procedure by establishing a regular Bluetooth pairing," the researchers say.
What can WhisperPair do?
If an attacker can covertly pair their seeker with vulnerable headphones or earbuds, they could obtain complete control over it, including tampering with controls such as volume. More importantly, they may be able to quietly record conversations made using built-in microphones.
WhisperPair attacks were tested at a range of up to 14 meters and can be conducted wirelessly.
Also: These 8 audio products at CES 2026 were so impressive, I had to listen twice
Unfortunately, it doesn't end there. If a device supports but has not been registered to Google's Find Hub network, attackers could, theoretically, register a target device themselves to their own account and track the accessory -- and its user. While an unexpected tracking notification will appear, only the user's own device will be shown -- and so this warning may be ignored.
What devices are impacted?
Headphones and audio accessories from companies including Google, Sony, Harman (JBL), and Anker are among those listed as vulnerable at the time of this writing.
Because WhisperPair exploits a flaw in the Fast Pair implementation in Bluetooth accessories, Android devices are not the only ones at risk. iPhone users with vulnerable accessories are also affected.
How do I know if my device is vulnerable?
The research team has published a catalog of popular headphones, earbuds, and other audio accessories that have been tested. There's a useful search function you can use to check whether your product is on the list: browse or enter the vendor's name to view the status of the product you are interested in, and the directory will indicate whether it is vulnerable to WhisperPair attacks.
What should I do next?
If your accessory is still labeled as vulnerable to this attack, first check whether any vendor patches are available. Even if your device is described as "not vulnerable," you should still take a moment to ensure it is up to date and has accepted any new software updates.
As the researchers note, "the only way to prevent WhisperPair attacks is to install a software patch issued by the manufacturer." You can check accompanying vendor apps or websites to see if anything is available, but if not, unfortunately, it is just a waiting game. If your accessory supports Find Hub but has not been paired with an Android device, the team says attackers could "track its location," so it should be updated as soon as a fix is available.
Also: Why I keep these 4 pairs of headphones with me at all times
Even if you can disable Fast Pair on your smartphone, this won't mitigate the risk of compromise.
"To the best of our knowledge, compatible accessories have Fast Pair enabled by default without an option to disable it," the researchers added. "The only way to prevent WhisperPair attacks is by performing a firmware update of the accessory."
English (US) ·