WhisperPair Earbud Flaw: How It Exposes Users to Eavesdropping

A newly disclosed vulnerability dubbed WhisperPair could let attackers covertly pair with popular earbuds and headphones, seize control, and eavesdrop from across the room. The flaw stems from improper implementations of Google’s Fast Pair protocol in audio accessories, creating a remote attack surface that extends well beyond Android phones—and the only reliable fix comes from firmware updates issued by device makers. What WhisperPair Is and Why It Still Matters Researchers at KU Leuven, backed by a national Cybersecurity Research Program, discovered that many Fast Pair–compatible accessories skip a critical check: ignoring pairing requests when the device isn’t in pairing mode. Assigned the critical identifier CVE-2025-36911, the issue allows a nearby attacker to initiate pairing without your knowledge and complete a standard Bluetooth bond. Once paired, the attacker can manipulate controls, inject audio prompts, and—most concerning—quietly access microphones to capture conversations. Tests showed viable attacks at distances up to 14 meters, making offices, coffee shops, airports, and co-working spaces realistic targets. How the WhisperPair Attack Works Across Devices Fast Pair defines two roles: a “seeker” (phone, laptop, or other initiator) and a “provider” (earbuds or headphones). The protocol requires providers to ignore pairing attempts unless they are explicitly in pairing mode. The researchers found that numerous accessories skip or mishandle this gatekeeping step. In practice, an attacker’s device can send a crafted request, elicit a reply from the vulnerable accessory, and then finalize Bluetooth pairing as if everything were legitimate. From there, microphone access and device control follow standard Bluetooth behaviors—no malware on your phone required, and no user interaction needed. Who Is at Risk from the WhisperPair Vulnerability Because the weakness lives in accessory firmware, it affects users across platforms. Android phones don’t have to be present, and iPhone users with impacted earbuds are equally exposed. Models from major brands—including Google, Sony, Harman’s JBL, and Anker—appear on the researchers’ tested list, with varying status by firmware version. There’s also a tracking angle. If a vulnerable accessory supports but hasn’t been registered to Google’s Find Hub network, an attacker may be able to enroll it to their account, potentially tracking the accessory’s movements. Alerts can surface, but they may not clearly reveal an unfamiliar account, increasing the risk of being dismissed. The researchers are unequivocal: the only effective mitigation is a firmware update from the accessory maker. Check your companion app immediately—examples include Sony Headphones Connect, JBL Headphones, Google’s Pixel Buds app, and Anker Soundcore—or the manufacturer’s support pages for release notes addressing Fast Pair or security. Steps to take today: Update your earbuds/headphones firmware via the official companion app, then reboot the accessory and your phone. Confirm the new firmware version and re-check the vendor’s notes for any mention of Fast Pair or security fixes. If no patch is available, monitor the vendor’s app weekly and consider contacting support to request an ETA. Some brands roll out fixes in waves by region or model. Importantly, turning off Fast Pair on your phone doesn’t solve the problem; accessories commonly keep the feature enabled internally without a user-facing off switch. Likewise, “forgetting” the device on your phone won’t prevent a rogue pairing from another attacker device. Interim Risk Reduction Steps While Awaiting Patches While you wait for a patch, treat unpatched buds as microphones in your pocket. Avoid sensitive calls on them, keep them powered off in the case when not in active use, and be wary of unexpected pairing prompts or audio cues. If your model supports a hard reset, perform one and re-pair only with your primary device; then clear unused pairings on both the accessory and your phone. For environments with strict confidentiality, use wired headsets or built-in device microphones until your accessory is confirmed patched. If the accessory supports Find Hub, review its settings and notifications regularly for any unusual enrollment or movement alerts. What the Researchers and Industry Say About WhisperPair The KU Leuven team privately reported the issue to Google under responsible disclosure, earning a $15,000 bug bounty. The vulnerability received a critical severity rating, reflecting the combination of stealth, range, and microphone access. Industry bodies such as the Bluetooth SIG have long emphasized correct state handling during pairing; WhisperPair shows how a single skipped check can unravel that protection. Fast Pair’s convenience is precisely why the impact is broad: it’s deeply embedded across the accessory ecosystem. This isn’t the first Bluetooth scare—prior issues like KNOB and BIAS targeted core protocols—but WhisperPair’s twist is that it exploits vendor implementations, which means fixes will arrive model by model rather than in one sweeping OS update. How to See If Your Headphone Model Is Vulnerable The research team has published a searchable catalog of tested earbuds and headphones, noting which firmware versions are affected or fixed. Look up your brand and model, verify your current firmware in the companion app, and compare. Even if your unit is listed as not vulnerable, apply the latest firmware to ensure you’re on the safe side. Bottom line: if you rely on Bluetooth earbuds for calls or meetings, update them now. WhisperPair turns convenience into a liability, and only manufacturer patches fully close the door on remote eavesdropping.