WhisperPair Vulnerability: Millions of Bluetooth Devices at Risk

WhisperPair attack Google Fast Pair vulnerability Bluetooth security device eavesdropping cybersecurity threat
Jim Gagnard
Jim Gagnard

Board Advisor

 
January 20, 2026 3 min read
WhisperPair Vulnerability: Millions of Bluetooth Devices at Risk

TL;DR

  • A critical vulnerability named WhisperPair has been found in Google's Fast Pair protocol, impacting millions of Bluetooth audio devices from major brands. Attackers can exploit this flaw to eavesdrop on conversations, track user locations, and play audio without consent. Users should immediately check for and install firmware updates from manufacturers to protect their devices.

Critical Vulnerability: WhisperPair Attack on Google Fast Pair Devices

A significant security flaw, dubbed WhisperPair, has been discovered in Google's Fast Pair protocol, impacting millions of Bluetooth audio devices. This vulnerability allows attackers to hijack devices, potentially eavesdrop on conversations, and track user locations. The flaw affects a wide range of devices, including those from Sony, JBL, and Xiaomi.

Technical Details of the WhisperPair Vulnerability

The vulnerability, tracked as CVE-2025-36911, stems from the improper implementation of the Fast Pair protocol. According to researchers at KU Leuven's Computer Security and Industrial Cryptography group, the Fast Pair specification requires Bluetooth devices to ignore pairing requests when not in pairing mode. However, many vendors have failed to enforce this check. This oversight allows unauthorized devices to initiate pairing without user consent.

The researchers explained that a "Seeker" (e.g., a phone) sends a message to the "Provider" (e.g., an accessory) to initiate pairing. The specification states that if the accessory is not in pairing mode, it should disregard such messages. Attackers can exploit this by using any Bluetooth-capable device to forcibly pair with vulnerable accessories.

Attack Vectors and Potential Risks

Attackers can exploit the WhisperPair flaw using devices like laptops or even a Raspberry Pi to pair with vulnerable accessories from various manufacturers, including Google, Jabra, JBL, Logitech, Marshall, Nothing, OnePlus, Sony, Soundcore, and Xiaomi. The attack range extends up to 14 meters and can be executed within seconds without user interaction.

Successful exploitation grants attackers control over the audio device, enabling them to:

  • Play audio at high volumes
  • Eavesdrop on conversations through the device's microphone
  • Track the victim's location using Google's Find Hub network if the accessory hasn't been paired with an Android device.

Detection Challenges and User Confusion

One of the critical challenges of WhisperPair is its stealth. Victims might receive an "unwanted tracking" notification, but it will display their own hijacked accessory, potentially leading them to dismiss it as a bug. This misinterpretation allows attackers to maintain their covert connection for extended periods.

Vendor Responses and Patch Availability

Google awarded the researchers $15,000, the maximum possible bounty, and coordinated with manufacturers to release security patches. However, updates may not yet be available for all vulnerable devices.

Some vendors have confirmed patches for specific models:

  • Google: Pixel Buds Pro 2 (Patched)
  • Jabra: Elite 8 Active (Patched)
  • Logitech: Various (Patched)
  • JBL (Harman): Various (Patch "coming in weeks")

Sony and Marshall had no public comment at the time of reporting.

User Recommendations and Mitigation Strategies

The only defense against WhisperPair attacks is installing firmware updates from device manufacturers. Disabling Fast Pair on Android phones does not prevent the attack, as the feature cannot be disabled on the accessories themselves.

Users should:

  1. Immediately check for firmware updates via the companion app or support website for their specific device model.
  2. Apply available patches without delay.
  3. Remain aware of the potential risk for devices awaiting a fix.

Gopher Security's Zero-Trust Architecture

In light of vulnerabilities like WhisperPair, Gopher Security emphasizes the importance of a Zero-Trust cybersecurity architecture. Our AI-powered platform converges networking and security across devices, apps, and environments. By utilizing peer-to-peer encrypted tunnels and quantum-resistant cryptography, Gopher Security ensures robust protection against potential threats, mitigating risks associated with compromised devices and unauthorized access. Gopher Security offers a comprehensive solution that secures your digital infrastructure from endpoints to the cloud.

Take Action Now

Ensure your organization is protected against emerging threats. Explore Gopher Security's Zero-Trust solutions and contact us to learn how we can help you fortify your cybersecurity defenses.

Jim Gagnard
Jim Gagnard

Board Advisor

 

30-year CEO experiences of leading multiple $MM exits. Excellent operator of managing big enterprise companies.

Related News

SolarWinds Patches Critical Web Help Desk RCE Vulnerabilities Now
SolarWinds Web Help Desk

SolarWinds Patches Critical Web Help Desk RCE Vulnerabilities Now

Critical RCE & Auth Bypass flaws in SolarWinds Web Help Desk are fixed! Don't risk it. Update to v2026.1 now to protect your systems. Learn more.

By Edward Zhou March 9, 2026 4 min read
common.read_full_article
AI vs Human Hackers: Who Prevails in 2026 Pen Testing?
AI hacking

AI vs Human Hackers: Who Prevails in 2026 Pen Testing?

Discover the results of a groundbreaking study comparing AI agents and human hackers in web vulnerability exploitation. See who prevails and what it means for your security. Read now!

By Jim Gagnard March 6, 2026 6 min read
common.read_full_article
Vulnerability Exploits Lead Cyber Intrusions in 2026 Trends
vulnerability exploits

Vulnerability Exploits Lead Cyber Intrusions in 2026 Trends

Exploits are now the top intrusion method, outpacing phishing. Discover why rapid vulnerability patching is critical and how to bolster your defenses. Read more!

By Edward Zhou March 4, 2026 4 min read
common.read_full_article
Google Dismantles IPIDEA, Major Proxy Network for 550+ Threats
Ipidea proxy network

Google Dismantles IPIDEA, Major Proxy Network for 550+ Threats

Google has disrupted Ipidea, a massive residential proxy network used by cybercriminals. Learn how this action impacts online security and what it means for threat actors. Read now!

By Brandon Woo February 27, 2026 4 min read
common.read_full_article