Bluetooth Headphones Vulnerable to Hijacking, Eavesdropping
A serious security flaw in GoogleS Fast Pair protocol allows attackers to hijack Bluetooth audio accessories, potentially track users, and listen to their conversations. The vulnerability, dubbed WhisperPair (tracked as CVE-2025-36911), impacts hundreds of millions of wireless headphones, earbuds, and speakers from various manufacturers.
Researchers at KU Leuven‘s Computer Security and Industrial Cryptography group discovered the issue. It’s not limited to Android users; iPhone owners with affected Bluetooth devices are also at risk because the vulnerability resides within the accessories themselves.
The problem stems from a failure by many manufacturers to properly implement the Fast pair protocol. The Fast Pair specification requires Bluetooth devices to ignore pairing requests when they aren’t actively in pairing mode. However, many vendors haven’t included this crucial check.
This oversight allows unauthorized devices to initiate pairing without the user’s knowledge or permission. A “Seeker” (a phone) can send a pairing request to a ”Provider” (an accessory) even when the accessory isn’t looking for a connection.
Researchers demonstrated they could use WhisperPair to:
- Initiate a connection to a vulnerable device from up to 30 feet away.
- Track a user’s location via their Bluetooth accessory.
- Eavesdrop on audio streamed to the headphones.
The researchers plan to publicly release technical details and proof-of-concept exploits after coordinating with Google and affected vendors. They recommend users keep their devices’ firmware updated and be cautious when pairing new Bluetooth accessories.
