BRUSSELS, Jan 16, 2026, 10:29 CET
- Researchers at KU Leuven revealed “WhisperPair” attacks capable of silently taking over certain Fast Pair earbuds, headphones, and speakers
- The affected devices include major consumer brands, impacting both iPhone and Android users alike
- These fixes rely on firmware updates from manufacturers, yet many users never actually apply them
Researchers from Belgium’s KU Leuven have revealed a series of attacks dubbed “WhisperPair” targeting vulnerabilities in certain Bluetooth audio devices using Google’s Fast Pair feature. The flaws let attackers nearby connect without permission, hijack audio streams, and sometimes even convert the devices into location-tracking tools. (Kuleuven)
Researchers revealed to WIRED that they uncovered security flaws in 17 Fast Pair audio devices across 10 brands, such as Sony, Jabra, JBL, Marshall, Xiaomi, Nothing, OnePlus, Soundcore, Logitech, and Google. KU Leuven’s Sayon Duttagupta claimed, “In less than 15 seconds, we can hijack your device.” (WIRED)
The main issue is straightforward: the patch typically comes as a firmware update via the manufacturer’s app, which many users never install. A Google spokesperson noted the company collaborated with researchers on these fixes and hasn’t observed any real-world exploitation beyond lab settings, but still urged users to keep their firmware up to date. (Gizmodo)
Fast Pair, launched in 2017, aims to simplify Bluetooth pairing to just a single tap. However, researchers point out that many accessories neglect a fundamental security step—they accept pairing requests even when not in “pairing mode,” which usually requires pressing a button. Since Fast Pair is integrated directly into the accessory, turning off prompts on the phone won’t fix the core problem. Firmware updates remain the primary way to address this vulnerability. (Whisperpair)
According to tests reported by 9to5Google, attackers can exploit everyday hardware like a laptop or Raspberry Pi to initiate an unauthorized pairing if an accessory bypasses the pairing-mode verification. Victims might only notice an “unwanted tracking” alert afterward, which traces back to their own device. (9to5Google)
The vulnerability, documented as CVE-2025-36911, carries a “High” severity rating in the GitHub Advisory Database. It has a CVSS 3.1 score of 7.1 and an “Adjacent” attack vector, indicating that an attacker must be within close proximity, like Bluetooth range, to exploit it. Importantly, no user interaction is needed. (GitHub)
On Jan. 15, the US National Vulnerability Database released the CVE entry classifying it as an information disclosure flaw. This vulnerability arises from a logic error in “key-based pairing,” potentially revealing users’ conversations and location. (NVD)
The researchers’ device list identifies certain models as vulnerable, naming Sony’s WH-1000XM6 and WH-1000XM5 headphones, Google’s Pixel Buds Pro 2, JBL’s Tune Beam, Xiaomi’s Redmi Buds 5 Pro, and Nothing’s Ear (a). Meanwhile, other products like Apple’s Beats Solo Buds are marked as not vulnerable in their tests. (Whisperpair)
It’s still unclear if Google’s software patches for the Find Hub tracking issue really work. Engadget noted that Google pushed a fix to stop tracking misuse through Find Hub, yet researchers quickly uncovered a way around it. (Engadget)
Ars Technica revealed that the bug impacts over a dozen device models spanning 10 manufacturers, including Google’s earbuds. They cautioned that the vulnerability might persist for some time if users and vendors delay applying patches. (Arstechnica)
