Overview
- KU Leuven researchers disclosed CVE-2025-36911, dubbed WhisperPair, which enables remote unauthorized pairing in roughly 10 seconds at ranges up to about 14–15 meters.
- The issue stems from many accessories failing to enforce Fast Pair’s requirement to ignore pairing requests when not in active pairing mode.
- After forced pairing, attackers could disrupt playback, access microphones, or in some cases track location via Google’s Find Hub network.
- Affected models span brands including Sony, Google, Jabra, JBL, Nothing, OnePlus, Soundcore, Xiaomi, Marshall, and Logitech, with a public tested list available from the researchers.
- Google used a 150‑day coordinated disclosure, awarded a $15,000 bounty, reported no evidence of in‑the‑wild exploitation, and says it rolled out a Find Hub tracking fix, while manufacturers are releasing firmware updates that users must install because disabling Fast Pair on phones does not prevent the attack.