Researchers are warning of a new vulnerability in Google’s Fast Pair Service that allows hackers to eavesdrop on hundreds of millions of Bluetooth audio devices. Is yours one of them?
-
Hackers can hijack Bluetooth audio devices remotely, turning microphones on without user knowledge.
-
The flaw affects hundreds of millions of devices across brands, because it sits inside Google’s Fast Pair system.
-
Users should install manufacturer updates immediately to block active exploitation.
Dubbed WhisperPair, the “set of vulnerabilities” (tracked as CVE-2025-36911) was discovered and reported to Google by the COSIC research group at KU Leuven University in Belgium on Wednesday.
The researchers say hundreds of millions of earbuds, headphones, and speakers are at risk of attack, and that users should patch their devices immediately.
Affected audio devices can also include car kits, microphones, mice, and keyboards – and can be from any major brand or chipset, as the critical flaw is contained within the Fast Pair service.
This includes devices that have even passed manufacturer QA and Google certification, the researchers warn.
"We have found that a small usability 'add-on' designed to make pairing easier has introduced large-scale security and privacy risks for hundreds of millions of users,” COSIC said.
How the attack works
Google’s one-click Fast Pair Service (GFPS) utilizes Bluetooth Low Energy (BLE), also known as Bluetooth Smart, a radio-frequency technology that lets users seamlessly facilitate the pairing of Bluetooth and BLE devices “with as little user interaction required as possible.”
The flaw in the nearly decade-old GFPS protocol “allows attackers to silently hijack devices, access microphones, inject audio, and even track users via Google’s Find Hub network – all without user consent,” COSIC states.
What's more, the attacks can happen within seconds and at realistic Bluetooth ranges, COSIC explains.
It starts with the attacker silently pairing with the user’s Bluetooth device without their knowledge. The attacker will then stealthily activate the device’s microphone. This enables the attacker to use the device as a location tracker using Google's Find Hub network, COSIC says.
COSIC reported testing 25 commercial devices from 16 vendors (including Sony, JBL, and others) across 17 unique Bluetooth chipsets.
“68% of the tested devices were vulnerable to forced pairing hijacks, and on every device that could be hijacked, we successfully gained access to the microphone,” they said.
The researchers also tested out the how the attacks would work in real-life scenarios, including on a train and a potential incident of cyberstalking.
In the train example, COSIC says once a hacker gets control of your audio, they can launch 'man-in-the-middle' attacks or inject malicious audio to capture microphone input, effectively bugging your conversation.
In the cyberstalking example, once the hacker gains unauthorized access to your Fast Pair-certified device, they can track your location for days via the crowdsourced Find Hub network before you are alerted.
How to check and patch
Before the introduction of more advanced Bluetooth pairing protocols, a user had to physically put their device into “pairing mode,” which enabled only trusted devices to pair, according to the research.
But the researchers say a small tweak in the protocol, designed for one-click pairing, “relies on the device's firmware to simply ‘check’ to see if the device is in pairing mode,” which can be bypassed in many Fast Pair-certified devices.
“By prioritising frictionless setup, the industry neglected the digital lock on the front door. Our work shows that security cannot be a checkbox exercise; it must be enforced by the protocol itself," COSIC said.
COSIC recommends that users contact their manufacturer to confirm whether their device is among the millions affected, then download and apply the manufacturer's patch right away.
The researchers also posted details about the devices they personally tested, indicating whether each was vulnerable or not. You can check the list here.
COSIC also notes that users should only download and install software patches issued directly by the manufacturer.
Also, because the vulnerability was only recently reported, some manufacturers may not have a patch ready for release, so users should keep checking for updates.
Unlock more exclusive Cybernews content on YouTube.
Your email address will not be published. Required fields are markedmarked