Bluetooth Audio Devices Vulnerable to Tracking and Eavesdropping

Bluetooth Audio Devices Vulnerable to Tracking and Eavesdropping

January 15, 2026 Lisa Park - Tech Editor Tech

Bluetooth ‍Headphones Vulnerable to Hijacking, Eavesdropping

A serious security flaw in GoogleS Fast Pair protocol‍ allows attackers to hijack Bluetooth‍ audio accessories, potentially track users, and listen to‍ their conversations. The‍ vulnerability, dubbed WhisperPair (tracked as CVE-2025-36911), impacts hundreds​ of millions of wireless headphones, earbuds, and speakers from various manufacturers.

Researchers at KU Leuven‘s Computer Security and Industrial Cryptography group ‌ discovered the issue. It’s not limited to Android‌ users; iPhone owners with affected Bluetooth devices are also at risk⁢ because the vulnerability resides within the accessories themselves.

The‌ problem ⁢stems from a failure by many manufacturers to ​properly implement the Fast pair protocol. The Fast Pair specification requires Bluetooth​ devices‍ to ignore pairing requests when⁣ they aren’t actively in pairing mode. ‌However, many vendors haven’t included this crucial check.

This oversight allows unauthorized devices to ⁢initiate pairing without the user’s knowledge or permission. A “Seeker” (a phone) can send a pairing request to a ​”Provider” ‍(an accessory) even​ when ​the accessory isn’t looking⁢ for a connection.

Researchers demonstrated they‌ could use WhisperPair to:

  • Initiate a connection to a vulnerable device from up⁢ to 30 feet away.
  • Track a user’s location via their Bluetooth‍ accessory.
  • Eavesdrop on audio streamed to the​ headphones.

The researchers plan to publicly release technical details and proof-of-concept exploits after coordinating with Google and affected vendors. They recommend users keep their devices’ firmware updated and be cautious when pairing ​new Bluetooth accessories.

Wiz