WhisperPair: A New Bluetooth Threat Targeting Fast Pair Devices
WhisperPair (CVE-2025-36911) is a newly disclosed Bluetooth vulnerability affecting Fast Pair-enabled headphones and earbuds. Learn how the attack works, which devices are impacted, and how to stay protected.
Overview
A new Bluetooth security vulnerability known as WhisperPair has recently been disclosed, raising serious privacy concerns for users of wireless headphones, earbuds, and speakers. The flaw affects devices that implement Google Fast Pair, a feature designed to make Bluetooth pairing quick and effortless.
While Fast Pair improves usability, researchers discovered that many devices fail to properly verify whether they are in pairing mode. As a result, attackers within Bluetooth range may silently pair with a device without the owner’s knowledge.
What Is WhisperPair?
WhisperPair is a logic flaw in the way some Bluetooth accessories implement Google Fast Pair. The vulnerability has been assigned CVE-2025-36911 and was discovered by researchers from KU Leuven.
In a secure Bluetooth workflow, accessories should only accept pairing requests when explicitly placed into pairing mode by the user. However, many Fast Pair-enabled devices skip this validation step, allowing unauthorized pairing attempts to succeed.
This means an attacker nearby can potentially gain control over a victim’s audio device without any user interaction.
How the Attack Works
The attack does not require malware or physical access. An attacker only needs to be within Bluetooth range.
At a high level, the process looks like this:
- The attacker sends a crafted Fast Pair request.
- The vulnerable accessory accepts the request despite not being in pairing mode.
- The attacker completes the pairing process silently.
- The attacker gains the same access level as a legitimate paired device.
Once paired, the attacker may be able to inject audio, hijack playback, or misuse microphone capabilities depending on the hardware.
Devices Affected
Testing has shown that WhisperPair impacts a wide range of popular Bluetooth audio devices, including models from well-known manufacturers.
Examples include:
- Sony WH-1000XM series
- Google Pixel Buds
- JBL and Jabra wireless headphones
- Xiaomi and Nothing earbuds
- Anker Soundcore Liberty series
Because Fast Pair is widely adopted, the potential impact spans hundreds of millions of devices globally.
Why This Is a Serious Issue
WhisperPair stands out because of how quietly it can be exploited. Users may never notice that their device has been paired by someone else.
The risks include:
- Audio hijacking – attackers can play sounds through your headphones or speakers
- Eavesdropping – microphones may be misused in certain scenarios
- Privacy concerns – compromised devices could be linked to attacker-controlled accounts
The vulnerability exists in the accessory firmware, meaning both Android and non-Android users can be affected.
How to Protect Yourself
Until all affected devices receive firmware updates, users should take a few practical precautions.
Update Device Firmware
Check your manufacturer’s companion app or official website for firmware updates addressing Fast Pair security.
Disable Bluetooth When Not Needed
Turning off Bluetooth when not in use significantly reduces exposure to nearby attackers.
Avoid Leaving Devices Discoverable
Only enable pairing mode when actively pairing a new device.
Watch for Unusual Behavior
Unexpected audio playback or unknown paired devices can be warning signs.
Why WhisperPair Matters
WhisperPair highlights a recurring issue in modern device design: convenience features can introduce serious security risks if not implemented carefully.
As Bluetooth accessories become more integrated into daily life, enforcing strict pairing controls is essential. This vulnerability serves as a reminder that usability should never come at the cost of user privacy and security.
References & Further Reading
KU Leuven research summary on Fast Pair attacks
https://eng.kuleuven.be/en/news-calendar/news-items/hijacking-bluetooth-accessories-using-google-fast-pairMalwarebytes coverage on WhisperPair
https://www.malwarebytes.com/blog/news/2026/01/whisperpair-exposes-bluetooth-earbuds-and-headphones-to-tracking-and-eavesdroppingCVE record (CVE-2025-36911)
https://nvd.nist.gov/vuln/detail/CVE-2025-36911