WhisperPair Flaw Lets Hackers Hijack Sony, Google Headphones

Security researchers at KU Leuven discovered a critical vulnerability in Google's Fast Pair protocol that lets attackers hijack Bluetooth headphones, earbuds, and speakers within range. Tracked as CVE-2025-36911 and dubbed "WhisperPair," the flaw affects at least 17 audio devices from 10 major manufacturers including Sony, Google, JBL, and Jabra.

Within 10 to 15 seconds, an attacker standing within Bluetooth range—about 50 feet—can silently take control of your audio accessories. From there, they can track your location, disrupt audio playback, and record phone calls and ambient conversations through the device microphone.

What Makes WhisperPair Dangerous

Google Fast Pair is designed to simplify Bluetooth pairing. Instead of manually searching for devices and entering PINs, Fast Pair uses Bluetooth Low Energy beacons to detect nearby accessories and initiate pairing automatically.

The protocol includes security measures to prevent unauthorized pairing. Specifically, devices should ignore pairing requests when they're not in pairing mode. But researchers found that 68% of tested devices fail to enforce this check in practice.

By sending crafted Bluetooth packets, attackers can force a pairing handshake even when the device isn't actively looking for new connections. Once paired, the attacker gains the same capabilities as the legitimate owner—including microphone access.

From the researchers: "On every device that could be hijacked, researchers successfully gained access to the microphone."

The vulnerability exists in the accessories themselves, not the smartphones they connect to. This means iPhone users with vulnerable Bluetooth devices are equally at risk, despite Fast Pair being an Android feature.

Affected Devices

Researchers confirmed the vulnerability in flagship products from major audio brands:

Sony:

• WH-1000XM6, WH-1000XM5, WH-1000XM4 (headphones)
• WF-1000XM5 (earbuds)

Google:

• Pixel Buds Pro 2

Other manufacturers:

• Nothing Ear (a)
• OnePlus Nord Buds 3 Pro
• Jabra Elite 8 Active
• Products from JBL, Marshall, Soundcore, Logitech, and Xiaomi

The full list likely extends beyond tested devices. Any Bluetooth accessory using vulnerable Fast Pair implementations could be affected.

Attack Scenarios

The practical implications vary by context:

Public spaces: Attackers in coffee shops, airports, or public transit could target anyone wearing compatible headphones. Ambient recording captures not just the victim's voice but nearby conversations—potentially including business discussions, personal calls, or sensitive information.

Corporate environments: Office settings where multiple employees use vulnerable devices present concentrated targets. An attacker in an adjacent building or parking lot could potentially access audio from meeting rooms.

Physical surveillance: Unlike network-based attacks, WhisperPair requires proximity. But that constraint also means attackers can target specific individuals by following them within Bluetooth range.

Location tracking: Google's Find Hub feature works through paired devices. Hijacked accessories can reveal a victim's location history and current position.

Patches and Mitigations

Google awarded the researchers $15,000—the maximum bounty—and coordinated a 150-day disclosure window with manufacturers. Some devices have received firmware updates:

• Google says Pixel Buds are "already patched and protected"
• Other manufacturers are rolling out updates at varying speeds

The only defense is installing firmware updates from your device manufacturer. For many Bluetooth accessories, this requires connecting to a companion app and manually triggering the update. Unlike smartphones that receive automatic patches, audio device firmware often languishes unless owners actively maintain it.

If your device hasn't received an update—or if the manufacturer hasn't announced one—assume it remains vulnerable. Some products may never receive fixes, particularly older models or devices from manufacturers with poor security track records.

Why This Matters

Bluetooth vulnerabilities traditionally require complex attacks or specific conditions. WhisperPair stands out because the attack is fast, reliable, and grants immediate access to microphones.

The scope is massive. Google Fast Pair has shipped on billions of devices. Even if only a fraction remain vulnerable after patches roll out, that's millions of potential targets. And the attack requires nothing more than a laptop with a Bluetooth adapter and the right software.

For enterprises, this vulnerability reinforces that personal devices brought into corporate environments represent security risks that extend beyond traditional BYOD concerns. Headphones aren't typically covered by mobile device management policies, but they can absolutely leak sensitive audio.

For individuals, the advice is straightforward: update your Bluetooth device firmware, and be aware that wireless audio accessories can be targeted by attackers in your physical vicinity.