Club Benefits
Google's Fast Pair protocol allows Bluetooth devices like headphones to quickly and automatically pair with your phone or laptop. Unfortunately, a group of security researchers has now shared serious security concerns in a newly released paper revealing a major flaw with Fast Pair.
Researchers at Belgium's KU Leuven University released their findings about the flaw (tracked as CVE-2025-36911 dubbed WhisperPair), which affects hundreds of millions of wireless headphones, earbuds and speakers from 15 different manufacturers across 17 different devices that support the Fast Pair feature. This includes the Sony WH-1000XM6, SoundCore Liberty 4 NC and Jabra Elite 8 Active, among other products.
Even iPhone users can be a victim even if you've never owned a Google product.
The flaws were initially reported to Google in August of 2025, who marked the loophole as critical and asked researchers to wait 150 days before disclosure so a fix could be implemented and to prevent widespread knowledge of the flaws.
Google thanked the researchers in a statement. The company awarded them $15,000, the maximum bounty, and worked with manufacturers to release security patches during the 150-day window.
"We worked with these researchers to fix these vulnerabilities, and we have not seen evidence of any exploitation outside of this report’s lab setting," a spokesperson told Tom's Guide.
We were told that some vulnerable devices may not have security updates addressing the flaw, though it wasn't specified which ones.
How does WhisperPair work?
Google Fast Pair has a specification requiring Bluetooth devices to ignore pairing requests when they are not in active pairing mode. However, vendors and chip makers may not have enforced this check in their devices, which allows bad actors to initiate pairing with unauthorized devices without your consent or knowledge.
"To start the Fast Pair procedure, a Seeker (a phone) sends a message to the Provider (an accessory) indicating that it wants to pair. The Fast Pair specification states that if the accessory is not in pairing mode, it should disregard such messages," the researchers said.
Unfortunately, the notifications about unwanted tracking could be misleading.
"The victim may see an unwanted tracking notification after several hours or days, but this notification will show their own device," researchers said. "This may lead users to dismiss the warning as a bug, enabling an attacker to keep tracking the victim for an extended period."
WhisperPair can be exploited by any Bluetooth capable device like a laptop, phone or Raspberry Pi to forcibly pair with vulnerable accessories at ranges up to 15 meters within seconds without even physically accessing the targeted device.
From there, the flaw can allow attackers to track locations using the Google Find Hub network if the accessory has never been paired with an Android device. They add the device to their own account.
What can you do to stay safe
First and foremost, you need to make sure that you have the most recent firmware update from your manufacturer installed on your Bluetooth device. Google's Pixel Buds Pro 2 are on the listed of vulnerable devices, and Google says that the earbuds have already been patched.
Google also said that it rolled out a separate fix to prevent Find Hub networking tracking using the covert account attack. This fix completely addresses the tracking issues across all devices, Google claimed.
Unfortunately, disabling Fast Pair on your Android phone doesn't prevent potential attacks since you can't disable the feature on the Bluetooth device itself.
Some devices have already been patched like Jabra and Logitech. However, JBL told WIred that a patch was coming "over the next few weeks" and some companies like Sony and Marshall didn't respond to request for comment. Still, make sure your devices are updated.
Follow Tom's Guide on Google News and add us as a preferred source to get our up-to-date news, analysis, and reviews in your feeds.
More from Tom's Guide
You must confirm your public display name before commenting
Please logout and then login again, you will then be prompted to enter your display name.
