Security researchers have uncovered a vulnerability called WhisperPair in 17 audio devices using Google's Fast Pair protocol, enabling hackers to access microphones and track locations within Bluetooth range. The flaw affects products from 10 manufacturers, including Sony and Google, and stems from improper implementation of the pairing standard. Google has collaborated with researchers to address the issue, though full fixes depend on hardware partners.
A team of researchers from Belgium's KU Leuven University revealed the WhisperPair vulnerability on January 15, 2026, affecting 17 headphone and speaker models certified for Google's Fast Pair protocol. This one-tap pairing feature, designed to simplify Bluetooth connections, has been improperly implemented by some hardware partners, allowing unauthorized pairings even outside pairing mode.
The attack requires a hacker to be within Bluetooth range—up to 14 meters—and know the device's model number, which is easily obtainable. It takes a median of 10 seconds, or less than 15 in some cases, to hijack the device. As KU Leuven researcher Sayon Duttagupta explained to Wired, "You're walking down the street with your headphones on, you're listening to some music. In less than 15 seconds, we can hijack your device. Which means that I can turn on the microphone and listen to your ambient sound. I can inject audio. I can track your location."
Once connected, attackers can interrupt audio streams, play their own sounds, eavesdrop via the microphone, or use Google's Find Hub to track the device's location. The vulnerability applies even to non-Android users if the device hasn't been linked to a Google account, potentially allowing hackers to bind it to their own account.
Researchers notified Google in August 2025, prompting collaboration through the company's Vulnerability Rewards Program. Google provided fixes to partners in September 2025 and updated its Find Hub network, but the team quickly found a workaround. A Google spokesperson stated, "We appreciate collaborating with security researchers... We worked with these researchers to fix these vulnerabilities, and we have not seen evidence of any exploitation outside of this report's lab setting. As a best security practice, we recommend users check their headphones for the latest firmware updates."
Affected manufacturers include Sony, Jabra, JBL, Marshall, Xiaomi, Nothing, OnePlus, Soundcore, Logitech, and Google. Google's Pixel Buds have received patches, while OnePlus is investigating. The flaw cannot be disabled, and many users may remain vulnerable without installing manufacturer apps for updates. Researchers advise regular firmware checks and factory resets if compromise is suspected, noting no known real-world exploits to date.
