Endpoint Security
,
Internet of Things Security
‘WhisperPair’ Flaw Likely to Endure for Years
A hacker could secretly record phone conversations, track users’ locations and blast music through headphones due to a flaw in implementations of a Google-developed low-energy technology for discovering nearby Bluetooth devices.
See Also: IoT and Cloud Systems Face Escalating Cyber Risks Amid Global Instability
Researchers at the Belgium’s KU Leuven University Computer Security and Industrial Cryptography group disclosed this month that a smart device system called Fast Pair can allows attackers to forcibly pair a wireless accessory such as headphones or earbuds with an attacker-controlled device.
The team behind the disclosure dubbed the vulnerability “WhisperPair.” The flaw, tracked as CVE-2025-36911, lies in how many accessory manufacturers implement Fast Pair. Namely, researchers said, they allow devices to pair with accessories even if the accessory is not in pairing mode.
A WhisperPair attack “succeeds within seconds (a median of 10 seconds) at realistic ranges (tested up to 14 meters) and does not require physical access to the vulnerable device,” researchers said.
Vulnerable devices include audio accessories made by Sony, Jabra, Soundcore, Logitech and also Google. Updating a device’s operating system – including iOS – will not necessarily protect users against the vulnerability, since the flaw is in the accessory, researchers said. “The only way to prevent WhisperPair attacks is to install a software patch issued by the manufacturer,” they wrote.
Once a malicious device pairs with a device, attackers could manipulate the sound settings or turn the microphone on. “You’re walking down the street with your headphones on, you’re listening to some music. In less than 15 seconds, we can hijack your device,” KU Leuven researcher Sayon Duttagupta told Wired. “Which means that I can turn on the microphone and listen to your ambient sound. I can inject audio. I can track your location.”
Product reviewers at The New York Times concluded that hackers likely wouldn’t capture much audio beyond a victim’s immediate phone conversation. Once headphones are off-ear “it’s unlikely that stray headphones could pick up your own voice, let alone a nearby conversation,” the Times reported.
Location tracking is a function of accessories compatible with Google’s device geolocation tracking feature, Find Hub. An attacker could pair an accessory not previously paired with an Android device, converting it into a tracking device. “The victim may see an unwanted tracking notification after several hours or days, but this notification will show their own device. This may lead users to dismiss the warning as a bug, enabling an attacker to keep tracking the victim for an extended period,” researchers wrote.
Google told Wired it hasn’t seen a WhisperPair exploited in the wild and that it’s updated Find Hub in Android to prevent attackers from using the flaw to track victims. Researchers told the magazine that the fix can be bypassed.
According to a timeline published by the researchers, they first contacted Google in August 2025, and agreed to a 150 day disclosure window.
Given the paucity of firmware updates applied to audio accessories – whether because users don’t bother or manufacturers don’t develop them – it’s likely that WhisperPair will persist as a vulnerability for years.