What happened
The WhisperPair vulnerability (CVE-2025-36911) in Google’s Fast Pair protocol allows attackers to hijack Bluetooth accessories — including earbuds, speakers, and headphones — without user consent. Researchers at KU Leuven uncovered that many flagship devices from major brands (Sony, Anker, Jabra, Logitech, Xiaomi, and others) fail to enforce required pairing authorization checks, enabling unauthorized devices to establish pairings in close proximity (up to ~14 meters) without user interaction. Once paired, attackers can play audio at high volume or record audio via built-in microphones, and even link accessories to their own accounts via Google’s Find Hub network, potentially enabling unwanted tracking. The flaw affects Bluetooth hardware itself, making mitigation dependent on firmware updates from device manufacturers.
Who is affected
Consumers and enterprises using Bluetooth accessories from affected manufacturers are indirectly exposed; threat is physical-proximity dependent and does not require target device compromise.
Why CISOs should care
Bluetooth pairing flaws can lead to unauthorized accessory control, eavesdropping, and privacy breaches around corporate devices, potentially undermining BYOD and wireless security policies.
3 practical actions
- Track firmware advisories: Ensure accessory vendors publish patches and update devices promptly.
- Limit accessory use in sensitive areas: Reduce Bluetooth pairing in high-risk or confidential spaces.
- Monitor for rogue pairings: Detect unexpected device pair events in managed environments.