WhisperPair: Millions of Bluetooth Devices at Risk from New Cyber Attack
Security researchers have uncovered a critical vulnerability in the Google Fast Pair protocol that allows hackers to hijack wireless headphones, track users, and eavesdrop on their conversations. The attack, codenamed "WhisperPair", affects hundreds of millions of devices from top brands including Sony, Anker, Google, and JBL.
📖 Read more: EU Cyber Resilience Act: What Changes for Your Devices
⚠️ CRITICAL SECURITY ALERT
If you use wireless headphones or earbuds with Google Fast Pair support, you may be vulnerable to this attack. Check immediately for available firmware updates from your manufacturer.
Vulnerability in Google Fast Pair Protocol - Allows unauthorized connection and surveillance
▶️ What Is WhisperPair?
WhisperPair is a series of attacks discovered by researchers at KU Leuven (Belgium), who identified a critical security flaw in the way many Bluetooth audio accessories implement the Google Fast Pair protocol.
Google Fast Pair is a technology that enables quick pairing and account synchronization with Bluetooth accessories like earbuds, headphones, and speakers, with just a single tap. However, many manufacturers have not properly implemented the protocol's security specifications.
The Fast Pair specification requires that the pairing process should only take place when the accessory is in pairing mode. However, many devices fail to check this state, allowing attackers to initiate the pairing process without the user's consent or knowledge.
Device Hijacking
Hackers can take full control of your headphones
Conversation Eavesdropping
Recording conversations through the device's microphone
📖 Read more: NIS2: Which Businesses in Greece Face New Obligations?
Location Tracking
Tracking users via the Google Find Hub network
Audio Playback
Ability to play audio at high volume
❓ How the Attack Works
The WhisperPair attack exploits a logic flaw in the key-based pairing code, where devices fail to verify whether they are in pairing mode before accepting connection requests.
Attack Steps:
- Discovery: The attacker uses a Bluetooth-capable device (laptop, Raspberry Pi, or smartphone) to locate vulnerable devices within a range of up to 14 meters
- Initiating Pairing: Sends a Fast Pair message to the accessory requesting pairing — vulnerable devices don't check if they are in pairing mode
- Completing Connection: Within seconds, the attacker completes the process and gains full control
- Exploitation: Can listen to conversations, play audio, or track the victim's location
Most concerning is that the attack requires no user interaction and can be carried out without physical access to the device. Furthermore, it affects users regardless of operating system — both Android and iPhone users with vulnerable Bluetooth devices are equally at risk.
📖 Read more: OpenSSL: Critical Vulnerabilities Affect Millions in 2026
🔍 Which Devices Are Affected?
The vulnerability affects hundreds of millions of wireless headphones, earbuds, and speakers from numerous manufacturers. The researchers note that the vulnerable implementations passed manufacturer quality testing and Google's certification process, indicating a chain of failures in compliance checking.
Important: The list of vulnerable devices is not complete. The researchers published a full list of vulnerable models on the official whisperpair.eu website so users can check their own devices.
🔎 Location Tracking via Find Hub
Beyond eavesdropping, WhisperPair can also be used for location tracking. If the victim's headphones support the Google Find Hub network and have never been paired with an Android device, the attacker can add them to their own Google account.
"The victim may see an unwanted tracking notification after several hours or days, but this notification will point to their own device," the researchers explain. "This may lead users to dismiss the warning as a bug, allowing the attacker to continue tracking the victim for an extended period."
📖 Read more: Passkeys: 2026 Is the Year Passwords 'Die'
⏰ Disclosure Timeline
Report to Google
KU Leuven researchers notify Google about the vulnerability through the bug bounty program
Patch Development Period
Google collaborates with manufacturers to develop security patches
Public Disclosure
Google releases a security update for Pixel devices and the researchers publish their findings
Google awarded the researchers $15,000 — the maximum possible reward — for their discovery. However, the researchers note that security updates may not yet be available for all vulnerable devices.
📖 Read more: Cloud Security 2026: The 7 Settings You Must Check
🛡️ How to Protect Yourself
🛡️ Protection Guidelines
- Update your firmware: Check your manufacturer's website for available security updates and install them immediately
- Use the companion app: Many brands like Sony, JBL, and Jabra offer apps that notify you of available updates
- Check your connections: In your phone's Bluetooth settings, check which devices are connected
- Avoid public places: In crowded areas, attackers can more easily exploit the vulnerability
- Visit whisperpair.eu: Check if your model is included in the list of vulnerable devices
⚠️ Important Note
Disabling Fast Pair on your Android phone DOES NOT prevent the attack, as the feature cannot be disabled on the accessories themselves. The only effective solution is installing firmware updates from the manufacturer.
❓ Why This Matters
This vulnerability highlights a broader problem in IoT device security. Despite manufacturers passing Google's certification tests, insecure implementations continued to reach the market at scale.
"This reveals a chain of compliance failures in Google Fast Pair, as the vulnerability went undetected at all three levels: implementation, validation, and certification," the researchers note.
The fact that the removal of the 3.5mm headphone jack from smartphones pushed users toward Bluetooth solutions makes these vulnerabilities even more concerning. Previous attacks like BlueBorne, BLUFFS, and KNOBS had already exposed security gaps in Bluetooth.
Conclusions
The WhisperPair vulnerability poses a serious threat to the privacy of millions of wireless headphone users worldwide. While Google and manufacturers are working to fix the issue, security depends on device firmware updates — something many users overlook or skip.
If you use wireless headphones or earbuds, check immediately for available updates and visit the whisperpair.eu website to see if your device is affected.
