Security

WhisperPair: Fast Pair Flaw Threatens 17 Audio Models

Krishn patel

Krishn patel

2 min read
Google Fast Pair Flaw Exposes 17 Devices
WhisperPair Alert
  • Key Takeaway: A vulnerability called WhisperPair affects 17 Bluetooth audio accessories certified with Google Fast Pair.
  • Key Takeaway: Flaw lets an attacker within Bluetooth range pair to devices, potentially enabling microphone access, audio injection and location tracking.
  • Key Takeaway: Affected brands include Sony, Jabra, JBL, Marshall, Xiaomi, Nothing, OnePlus, Soundcore, Logitech and Google; Google says Pixel Buds are patched.
  • Key Takeaway: Google and KU Leuven researchers coordinated fixes; users should update firmware and use manufacturer apps or whisperpair.eu to check risk.

What is WhisperPair and how it works

WhisperPair is the name KU Leuven security researchers gave to a weakness in how some manufacturers implemented Google’s Fast Pair one-tap Bluetooth protocol. The bug allows an attacker to pair with an accessory after it’s already paired to a phone or device when proper pairing-mode checks are missing.

Researchers say an attacker needs only the accessory model number and a few seconds while within Bluetooth range. "You're walking down the street with your headphones on, you're listening to some music. In less than 15 seconds, we can hijack your device," KU Leuven researcher Sayon Duttagupta told Wired.

Which devices are affected

The vulnerability impacts 17 models across 10 companies that obtained Google Fast Pair certification. Named manufacturers include Sony, Jabra, JBL, Marshall, Xiaomi, Nothing, OnePlus, Soundcore, Logitech and Google.

Google reports that its affected Pixel Buds have already received patches. The KU Leuven team also published a searchable tool at whisperpair.eu so users can check if a specific accessory is vulnerable.

Google and OEM response

Google says the flaw stems from improper Fast Pair implementations by partners rather than the core Fast Pair protocol. The company worked with researchers through its Vulnerability Rewards Program and provided OEMs recommended fixes in September.

Google updated its Validator certification tool and tightened certification requirements. It also rolled out a fix to its Find Hub network to prevent attackers from linking accessories to their own Google accounts for location tracking, though researchers reported a temporary workaround after that patch.

What you should do now

Install firmware updates from accessory manufacturers as soon as they are available. Many fixes require the vendor’s companion app, so enabling those apps and updates is important.

Turn off Bluetooth when not in use, avoid unknown pairing prompts, and check your accessory on whisperpair.eu. If you suspect a device has been compromised, unpair it and contact the manufacturer for remediation steps.

Why this matters

The attack can enable severe privacy violations: covertly enabling a microphone, injecting audio, or linking a device to another Google account to reveal location. The risk extends beyond Android users in some scenarios, making firmware updates and vendor fixes the primary defense.

Keeping Bluetooth accessories updated and following vendor guidance remains the most reliable way to reduce exposure until all affected models receive permanent fixes.

Read more