Bluetooth Flaw Lets Hackers Track and Eavesdrop on You
▼ Summary
– A critical vulnerability named WhisperPair (CVE-2025-36911) in Google’s Fast Pair protocol allows attackers to hijack Bluetooth audio accessories, eavesdrop, and track users.
– The flaw affects hundreds of millions of headphones and speakers from major brands because many devices fail to enforce a security check, allowing unauthorized pairing without user consent.
– Attackers can exploit it using any Bluetooth device within 14 meters to forcibly pair, gaining control to play loud audio or listen through the microphone.
– The vulnerability also enables location tracking via Google’s Find My Device network, and victims may dismiss tracking alerts as bugs.
– Google awarded a bounty and worked on patches, but updates may not be available for all devices; the only defense is installing firmware updates from manufacturers.
A significant security vulnerability has been identified within Google’s Fast Pair protocol, a feature designed to simplify connecting Bluetooth accessories. This flaw, known as WhisperPair, enables malicious actors to take control of wireless headphones and earbuds, potentially tracking a user’s location and eavesdropping on private conversations. The issue is not confined to Android devices, as it resides in the hardware of the accessories themselves, putting iPhone users with compatible gear at equal risk.
The problem stems from a widespread failure among manufacturers to properly implement a basic security check. According to the official Fast Pair specification, a Bluetooth accessory should ignore any pairing requests when it is not actively in pairing mode. Many popular device makers have not enforced this critical rule, allowing unauthorized gadgets to initiate a connection without any user prompt or awareness. Researchers from KU Leuven’s Computer Security and Industrial Cryptography group discovered that an attacker can send a pairing request to a vulnerable device, and if it incorrectly responds, complete a standard Bluetooth pairing process.
Exploiting this weakness requires only a common Bluetooth-enabled device like a laptop or smartphone. An attacker can forcibly pair with susceptible accessories from major brands, including Google, Sony, Jabra, and JBL, from a distance of up to 14 meters. This connection happens in seconds, with no interaction needed from the victim. Once paired, the attacker gains full control over the audio device. This control can be used maliciously to play loud, disruptive sounds or, more alarmingly, to secretly listen in on the user’s surroundings through the device’s built-in microphone.
Beyond audio eavesdropping, the flaw opens a pathway for physical tracking. If a vulnerable accessory has never been paired with an Android phone before, an attacker can link it to their own Google account. This action enrolls the device in Google’s Find My Device network, allowing the attacker to monitor the accessory’s location. A victim might eventually receive an unwanted tracking notification, but it would appear to originate from their own account, likely leading them to dismiss it as a harmless glitch and allowing prolonged surveillance.
Google responded to the discovery by awarding the maximum possible bug bounty and coordinating with manufacturers on patches during a 150-day disclosure period. However, security updates addressing WhisperPair may not yet be available for all affected devices. The sole effective defense for consumers is to install any firmware updates released by their device’s manufacturer. It is important to note that simply disabling the Fast Pair feature on an Android smartphone offers no protection, as the vulnerability cannot be switched off on the accessory hardware.
(Source: Bleeping Computer)