Follow ZDNET: Add us as a favorite source On Google.
ZDNET Highlights
- WhisperPair vulnerabilities affect the protocols for connecting devices and audio products.
- Attackers can take over an audio device, tamper with the controls, and potentially listen in on your conversation.
- Many vendors have released patches, but some devices are still vulnerable
Researchers have uncovered WhisperPair, a family of vulnerabilities that affect protocols commonly used to pair headphones, earbuds and other audio products with Bluetooth devices.
Too: Your Windows PC needs this patch to protect against nasty bootkit malware – update now
What is whisperpair?
like before Reported by WiredWhisperPair was exposed by a team of researchers at KU Leuven University in Belgium, supported by the government’s Cybersecurity Research Programme.
conclusion Related to improper implementation of Google’s Fast Pair protocol, which enables one-tap pairing and account synchronization across Bluetooth accessories. According to the researchers, if the protocol is not implemented correctly, a security flaw is introduced that “allows an attacker to hijack devices and track victims using Google’s Find Hub network.”
Also: How this one-click CoPilot attack bypassed security controls – and what Microsoft did about it
The vulnerability research was reported privately to Google in August 2025 and a critical rating was issued under CVE-2025-36911. A 150-day disclosure window was agreed upon and a bug bounty of $15,000 was offered.
How does Whisperpair work?
Whisperpair occurs because many audio accessories skip a “critical step” during Fast Pair pairing. It works like this: A “seeker” – such as a Bluetooth-enabled mobile device – sends a message to an audio accessory “provider”. The message contains a pairing request.
While the Fast Pair protocol specifies that these messages should be ignored when an accessory is not in pairing mode, this check is not always performed, allowing unauthorized devices to initiate pairing without permission.
Also: Best Earbuds of 2026: Expert Tests and Reviews
“After receiving a response from the vulnerable device, an attacker can accomplish the Fast Pair process by setting up a regular Bluetooth pairing,” the researchers say.
What can Whisperpair do?
If an attacker can secretly pair their seeker with vulnerable headphones or earbuds, they can gain full control over it, including tampering with controls like volume. More importantly, they may be able to silently record conversations using the built-in microphone.
WhisperPair attacks have been tested at ranges up to 14 meters and can be conducted wirelessly.
Also: These 8 audio products at CES 2026 were so impressive I had to listen twice
Unfortunately, it doesn’t end here. If a device supports but is not registered in Google find hub Network, attackers can, theoretically, register a target device to their own account and track the accessory – and its user. While an unexpected tracking notification will appear, only the user’s own device will be shown – and so this warning can be ignored.
Which devices are affected?
Headphones and audio accessories from companies including Google, Sony, Harman (JBL), and Anker are listed as unsafe at the time of this writing.
Because WhisperPair exploits a flaw in the Fast Pair implementation in Bluetooth accessories, Android devices aren’t the only ones at risk. iPhone users with vulnerable accessories are also affected.
How do I know if my device is unsafe?
The research team has published a list of popular headphones, earbuds, and other audio accessories that have been tested. there is a useful search function You can use this to check if your product is on the list: Browse or enter the seller’s name to see the status of the product you are interested in, and the directory will indicate if it is vulnerable to WhisperSpy attacks.
What should I do now?
If your accessory is still labeled as vulnerable to this attack, first check if a vendor patch is available. Even if your device is described as “not vulnerable”, you should still take a moment to make sure it is up to date and has accepted any new software updates.
As the researchers note, “The only way to prevent Whisperer attacks is to install manufacturer-released software patches.” You can check the respective vendor apps or websites to see if something is available, but if not, unfortunately, it’s just a waiting game. If your accessory supports Find Hub but isn’t paired with an Android device, the team says attackers can “track its location,” so it should be updated as soon as a fix is available.
Also: Why I Carry These 4 Pairs of Headphones with Me All the Time
Even if you can disable Fast Pair on your smartphone, it won’t reduce the risk of compromise.
“To the best of our knowledge, compatible accessories have Fast Pair enabled by default without the option to disable it,” the researchers said. “The only way to prevent WhisperPair attacks is to update the accessory’s firmware.”
