Overview
- KU Leuven researchers disclosed WhisperPair, improper implementations of Google's Fast Pair that let nearby attackers silently pair with and seize control of audio accessories.
- Dozens of popular models from brands including Sony, JBL, Marshall, Nothing, OnePlus, Xiaomi, Jabra, Soundcore, Logitech, and Google were tested and many were affected.
- In demonstrations using low-cost hardware, devices were hijacked within about 10–15 seconds from roughly 14 meters, enabling audio injection, microphone access, and disruption.
- Certain products that support Google's Find Hub could be illicitly registered for high‑resolution tracking, though Google says there is no evidence of real‑world exploitation.
- Google confirmed the vulnerabilities, issued fixes for its own accessories and Find Hub, and alerted vendors, with Xiaomi and JBL rolling out patches, Logitech integrating firmware for new units, and OnePlus reviewing the issue.