Overview
- KU Leuven researchers publicly detailed the WhisperPair vulnerabilities (CVE-2025-36911), disclosing flaws in how many Bluetooth accessories implement Google’s pairing protocol.
- Exploitation stems from devices failing to ignore pairing requests outside pairing mode, with attacks demonstrated in about 10 seconds at ranges up to roughly 14–15 meters.
- Once paired, attackers can disrupt audio, access microphones, and in some cases track location via Google’s Find Hub, which researchers say they could still work around after Google’s network mitigation.
- Dozens of popular earbuds, headphones, and speakers from brands including Sony, JBL, Jabra, OnePlus, Nothing, Xiaomi, Soundcore, Logitech, Marshall, and Google are listed, though Google says affected Pixel Buds have been patched.
- Google reports no evidence of real‑world abuse, but users must update each accessory’s firmware via manufacturer apps, and turning off Fast Pair on a phone does not remove exposure.