WhisperPair Vulnerability: Millions of Bluetooth Devices at Risk

WhisperPair attack Google Fast Pair vulnerability Bluetooth security device eavesdropping cybersecurity threat
Jim Gagnard
Jim Gagnard

Board Advisor

 
January 20, 2026 3 min read
WhisperPair Vulnerability: Millions of Bluetooth Devices at Risk

TL;DR

A critical vulnerability named WhisperPair has been found in Google's Fast Pair protocol, impacting millions of Bluetooth audio devices from major brands. Attackers can exploit this flaw to eavesdrop on conversations, track user locations, and play audio without consent. Users should immediately check for and install firmware updates from manufacturers to protect their devices.

Critical Vulnerability: WhisperPair Attack on Google Fast Pair Devices

A significant security flaw, dubbed WhisperPair, has been discovered in Google's Fast Pair protocol, impacting millions of Bluetooth audio devices. This vulnerability allows attackers to hijack devices, potentially eavesdrop on conversations, and track user locations. The flaw affects a wide range of devices, including those from Sony, JBL, and Xiaomi.

Technical Details of the WhisperPair Vulnerability

The vulnerability, tracked as CVE-2025-36911, stems from the improper implementation of the Fast Pair protocol. According to researchers at KU Leuven's Computer Security and Industrial Cryptography group, the Fast Pair specification requires Bluetooth devices to ignore pairing requests when not in pairing mode. However, many vendors have failed to enforce this check. This oversight allows unauthorized devices to initiate pairing without user consent.

The researchers explained that a "Seeker" (e.g., a phone) sends a message to the "Provider" (e.g., an accessory) to initiate pairing. The specification states that if the accessory is not in pairing mode, it should disregard such messages. Attackers can exploit this by using any Bluetooth-capable device to forcibly pair with vulnerable accessories.

Attack Vectors and Potential Risks

Attackers can exploit the WhisperPair flaw using devices like laptops or even a Raspberry Pi to pair with vulnerable accessories from various manufacturers, including Google, Jabra, JBL, Logitech, Marshall, Nothing, OnePlus, Sony, Soundcore, and Xiaomi. The attack range extends up to 14 meters and can be executed within seconds without user interaction.

Successful exploitation grants attackers control over the audio device, enabling them to:

  • Play audio at high volumes
  • Eavesdrop on conversations through the device's microphone
  • Track the victim's location using Google's Find Hub network if the accessory hasn't been paired with an Android device.

Detection Challenges and User Confusion

One of the critical challenges of WhisperPair is its stealth. Victims might receive an "unwanted tracking" notification, but it will display their own hijacked accessory, potentially leading them to dismiss it as a bug. This misinterpretation allows attackers to maintain their covert connection for extended periods.

Vendor Responses and Patch Availability

Google awarded the researchers $15,000, the maximum possible bounty, and coordinated with manufacturers to release security patches. However, updates may not yet be available for all vulnerable devices.

Some vendors have confirmed patches for specific models:

  • Google: Pixel Buds Pro 2 (Patched)
  • Jabra: Elite 8 Active (Patched)
  • Logitech: Various (Patched)
  • JBL (Harman): Various (Patch "coming in weeks")

Sony and Marshall had no public comment at the time of reporting.

User Recommendations and Mitigation Strategies

The only defense against WhisperPair attacks is installing firmware updates from device manufacturers. Disabling Fast Pair on Android phones does not prevent the attack, as the feature cannot be disabled on the accessories themselves.

Users should:

  1. Immediately check for firmware updates via the companion app or support website for their specific device model.
  2. Apply available patches without delay.
  3. Remain aware of the potential risk for devices awaiting a fix.

Gopher Security's Zero-Trust Architecture

In light of vulnerabilities like WhisperPair, Gopher Security emphasizes the importance of a Zero-Trust cybersecurity architecture. Our AI-powered platform converges networking and security across devices, apps, and environments. By utilizing peer-to-peer encrypted tunnels and quantum-resistant cryptography, Gopher Security ensures robust protection against potential threats, mitigating risks associated with compromised devices and unauthorized access. Gopher Security offers a comprehensive solution that secures your digital infrastructure from endpoints to the cloud.

Take Action Now

Ensure your organization is protected against emerging threats. Explore Gopher Security's Zero-Trust solutions and contact us to learn how we can help you fortify your cybersecurity defenses.

Jim Gagnard
Jim Gagnard

Board Advisor

 

30-year CEO experiences of leading multiple $MM exits. Excellent operator of managing big enterprise companies.

Related News

Tech Hiring Growth: 12-15% Increase in AI and Data Jobs by 2026
India tech job market

Tech Hiring Growth: 12-15% Increase in AI and Data Jobs by 2026

India's tech job market is set for a 12-15% surge in 2026, creating 1.25 lakh roles. Discover key sectors and skills in demand. Read more!

By Edward Zhou January 19, 2026 3 min read
common.read_full_article
January 2026 Patch Tuesday: Key Updates and Critical Fixes
Microsoft January 2026 Patch Tuesday

January 2026 Patch Tuesday: Key Updates and Critical Fixes

Microsoft's January 2026 Patch Tuesday is here! Discover 114 vulnerabilities, including one actively exploited flaw & 8 critical issues. Secure your systems now!

By Divyansh Ingle January 16, 2026 3 min read
common.read_full_article
Single-Click 'Reprompt' Attack Steals Data from Microsoft Copilot
Reprompt attack

Single-Click 'Reprompt' Attack Steals Data from Microsoft Copilot

Discover the 'Reprompt' attack: a single-click exploit targeting Microsoft Copilot. Learn how it works and how to protect your sensitive data. Read more now!

By Edward Zhou January 16, 2026 2 min read
common.read_full_article
Critical Azure Entra ID Vulnerability Allows Tenant-Wide Compromise
Windows Admin Center vulnerability

Critical Azure Entra ID Vulnerability Allows Tenant-Wide Compromise

Urgent: Two critical vulnerabilities in Windows Admin Center (CVE-2026-20965) and Azure Entra ID (CVE-2025-55241) could lead to tenant-wide compromise. Learn how to protect your systems now!

By Alan V Gutnov January 15, 2026 5 min read
common.read_full_article