Executive Summary

A newly disclosed critical vulnerability, WhisperPair (CVE-2025-36911), exposes hundreds of millions of Bluetooth audio accessories to remote hijacking, eavesdropping, and location tracking. The flaw resides in the implementation of the Google Fast Pair protocol across a wide range of devices from leading vendors including Sony, Jabra, JBL, Marshall, Xiaomi, Nothing, OnePlus, Soundcore, Logitech, and Google itself. Attackers can exploit this vulnerability to forcibly pair with affected devices without any user interaction, gaining unauthorized access to microphones, device controls, and, in some cases, the ability to track the device’s location via Google’s Find Hub network. The attack is practical, can be executed with commodity hardware, and is not limited to Android users—iPhone and other non-Android device owners are equally at risk if their accessories support Fast Pair. Immediate firmware updates are required to mitigate this threat.

Technical Information

The WhisperPair vulnerability, catalogued as CVE-2025-36911, is a systemic flaw in the way many Bluetooth audio accessories implement the Google Fast Pair protocol. Fast Pair is designed to streamline the Bluetooth pairing process, but in many devices, the accessory firmware fails to verify whether the device is in pairing mode before accepting new pairing requests. This oversight allows an attacker within Bluetooth range (up to 14 meters, as demonstrated in research) to initiate and complete a pairing process at any time, regardless of the device’s intended state.

The attack leverages the Bluetooth Low Energy (BLE) stack and exploits the Fast Pair protocol’s lack of state validation. An attacker, using a standard laptop, smartphone, or a low-cost device such as a Raspberry Pi, can scan for Fast Pair-enabled accessories in the vicinity. Once a vulnerable device is detected, the attacker sends a pairing request, which is erroneously accepted by the accessory. The attacker can then complete the pairing handshake, gaining full access to the device’s capabilities.

If the compromised accessory includes a microphone, the attacker can activate it to record ambient audio, effectively turning the device into a covert listening tool. For devices supporting Google’s Find Hub, the attacker can register their own Google account as the device owner if they are the first to pair, enabling persistent location tracking through the Find My Device network. This is particularly concerning for new or factory-reset accessories, as the first pairing event determines device ownership in the Google ecosystem.

The attack is entirely passive from the victim’s perspective—no user interaction, confirmation, or notification is required. The median time to compromise is approximately 10 seconds, making opportunistic attacks in public spaces both feasible and difficult to detect. The vulnerability is present in the accessory firmware, not in the host device (phone, tablet, or computer), so disabling Fast Pair on the host or factory resetting the accessory does not mitigate the risk.

The impact of WhisperPair is multifaceted. Attackers can eavesdrop on conversations, disrupt device usage by playing audio or changing settings, and, in some cases, track the physical location of the device and its user. The vulnerability is not limited to Android users; any device supporting Fast Pair, regardless of the host operating system, is susceptible if the accessory firmware is flawed.

The flaw was discovered and responsibly disclosed by the COSIC group at KU Leuven University, who have published detailed technical analyses and proof-of-concept demonstrations. The attack does not require specialized equipment or advanced technical skills, significantly lowering the barrier to exploitation.

Exploitation in the Wild

As of the latest public disclosures, there are no confirmed reports of widespread exploitation of WhisperPair in the wild. However, the attack has been thoroughly demonstrated by academic researchers using off-the-shelf hardware and open-source Bluetooth tools. The practicality and stealth of the attack, combined with the ubiquity of vulnerable devices, make it highly likely that both opportunistic and targeted exploitation will emerge rapidly, especially as awareness of the vulnerability spreads.

The research team at KU Leuven has released video demonstrations and technical documentation illustrating the attack workflow. These resources confirm that the exploit can be executed in real-world environments, such as offices, public transportation, or crowded venues, where Bluetooth audio accessories are commonly used.

Security analysts warn that the lack of user interaction and the speed of compromise make detection and attribution challenging. Organizations and individuals should assume that unpatched devices are at risk, particularly in high-traffic or sensitive environments.

APT Groups using this vulnerability

At the time of this report, there is no public attribution of WhisperPair exploitation to specific Advanced Persistent Threat (APT) groups. However, the technical simplicity and high impact of the vulnerability place it well within the operational capabilities of both state-sponsored actors and organized cybercriminal groups. The attack aligns with tactics observed in the MITRE ATT&CK framework, specifically Initial Access (TA0001) and Collection (TA0009), utilizing techniques such as Bluetooth-based Device Access (T1421) and Audio Capture (T1123).

Given the potential for covert surveillance, industrial espionage, and physical tracking, it is anticipated that APT groups and other sophisticated adversaries will incorporate WhisperPair into their toolkits if they have not already done so. Organizations operating in sensitive sectors or handling confidential information should prioritize mitigation and monitor for signs of unauthorized Bluetooth activity.

Affected Product Versions

The WhisperPair vulnerability affects a broad spectrum of Bluetooth audio accessories from leading vendors. Confirmed vulnerable models include, but are not limited to, the following:

Sony WH-1000XM6, WH-1000XM5, WH-1000XM4, WH-CH720N, WF-1000XM5; Google Pixel Buds Pro 2; OnePlus Nord Buds 3 Pro; Nothing Ear (a); JBL (Harman) TUNE BEAM; Xiaomi Redmi Buds 5 Pro; Marshall MOTIF II A.N.C.; Anker (soundcore) Liberty 4 NC; Jabra Elite 8 Active.

The vulnerability is present in the firmware of these devices, specifically in their implementation of the Google Fast Pair protocol. Notably, some popular models from other vendors, such as Sonos Ace, Audio-Technica ATH-M20xBT, JBL Flip 6, Jabra Speak2 55 UC, Bose QC Ultra Headphones, Poly VFree 60 Series, Bang & Olufsen Beosound A1 2nd Gen, and Apple Beats Solo Buds, have been tested and found not to be vulnerable.

The full and continually updated list of affected devices is maintained at the official research portal: https://whisperpair.eu/vulnerable-devices. Customers are strongly encouraged to consult this resource to verify the status of their audio accessories.

Workaround and Mitigation

The only effective mitigation for WhisperPair is to apply firmware updates provided by the device manufacturer. Users should regularly check the support pages of their accessory vendors for security advisories and firmware releases addressing CVE-2025-36911. Where updates are available, they should be applied immediately to all affected devices.

Monitoring for unauthorized Bluetooth pairings is recommended. Users should periodically review the list of paired devices on their accessories and remove any unfamiliar or suspicious entries. Unexplained audio playback, unexpected microphone activation, or anomalous tracking notifications from Google’s Find Hub may indicate compromise and should be investigated promptly.

It is critical to note that disabling Fast Pair on the host device (phone, tablet, or computer) or performing a factory reset on the accessory does not remediate the vulnerability. The flaw is embedded in the accessory’s firmware logic, and only a vendor-issued firmware update can resolve the issue.

Organizations should consider implementing policies restricting the use of vulnerable Bluetooth accessories in sensitive environments until patches are applied. Security awareness training should be updated to include information about the risks associated with WhisperPair and the importance of timely firmware updates.

References

Malwarebytes: WhisperPair exposes Bluetooth earbuds and headphones to tracking and eavesdropping: https://www.malwarebytes.com/blog/news/2026/01/whisperpair-exposes-bluetooth-earbuds-and-headphones-to-tracking-and-eavesdropping

NVD: CVE-2025-36911: https://nvd.nist.gov/vuln/detail/CVE-2025-36911

WhisperPair Research Portal (KU Leuven): https://whisperpair.eu/

SecurityWeek: WhisperPair Attack Leaves Millions of Audio Accessories Open to Hijacking: https://www.securityweek.com/whisperpair-attack-leaves-millions-of-bluetooth-accessories-open-to-hijacking/

Google Security Bulletin: https://source.android.com/security/bulletin/pixel/2026-01-01

Rescana is here for you

At Rescana, we understand that the evolving threat landscape demands proactive and comprehensive risk management. Our Third-Party Risk Management (TPRM) platform empowers organizations to continuously monitor, assess, and mitigate cyber risks across their entire supply chain and digital ecosystem. While no single solution can prevent every vulnerability, Rescana’s platform provides the visibility and intelligence needed to respond rapidly to emerging threats and ensure the resilience of your business operations.

If you have any questions about this advisory or require further assistance, our team is ready to help. Please contact us at ops@rescana.com.