Google’s Fast Pair technology has revolutionised Bluetooth connectivity, enabling seamless one-tap pairing across supported accessories and account synchronisation for millions of users.
However, a critical vulnerability discovered in flagship audio accessories threatens the security of hundreds of millions of devices.
| Attribute | Details |
| Vulnerability Name | WhisperPair – Unauthorized Device Pairing Without User Consent |
| CVE Identifier | CVE-2025-36911 |
| Severity Rating | Critical |
| CVSS v3.1 Score | 9.8 |
Researchers have unveiled WhisperPair, a family of practical attacks that exploit implementation flaws in Fast Pair to hijack wireless headphones, earbuds, and speakers without the user’s knowledge or consent.
WhisperPair enables attackers to forcibly pair vulnerable Fast Pair accessories with attacker-controlled devices in as little as 10 seconds, with effective ranges exceeding 14 meters.
The attack requires no physical access to the target device and operates silently without triggering user awareness.
Once compromised, attackers gain complete control over the accessory, allowing them to play audio at dangerous volumes, record conversations with the built-in microphones, or conduct surveillance.
The vulnerability stems from a critical implementation failure in the Fast Pair specification. According to protocol design, accessories should ignore pairing requests when not in pairing mode.
However, many manufacturers have failed to enforce this essential security check, allowing unauthorized devices to initiate the pairing process.
Attackers exploit this oversight by sending initial Fast Pair messages to vulnerable devices, receiving replies, and completing standard Bluetooth pairing procedures without the legitimate owner’s intervention.
The attack extends beyond device hijacking. Some accessories support Google’s Find Hub network, a crowdsourced location-tracking system designed to help users find lost devices.
Researchers discovered that attackers can register compromised accessories using malicious Google accounts, effectively adding tracking capabilities to devices that have never paired with Android phones.
Victims receive delayed notifications, sometimes hours or days later, displayed on their own devices, likely leading users to dismiss warnings as software glitches while remaining tracked indefinitely.
This exploit works because Android devices write Account Keys to accessories only after pairing completes.
The first key written becomes the Owner Account Key, establishing device ownership. If victims have never connected accessories to Android devices, attackers become marked owners after writing their own account keys, gaining persistent tracking access.
The scope of WhisperPair reveals a breakdown at multiple levels. Researchers documented multiple devices, vendors, and chipsets affected by identical implementation failures.
Critically, vulnerable devices passed both manufacturers’ quality assurance testing and Google’s official certification process, indicating systemic compliance failures rather than isolated developer errors.
This chain of failures across implementation, validation, and certification demonstrates significant gaps in security governance.
Google classified the vulnerability as critical and assigned it CVE-2025-36911. Researchers received the maximum bounty of $15,000 after a responsible 150-day disclosure window beginning in August 2025, which allowed manufacturers time to develop patches.
The only permanent fix requires software updates from accessory manufacturers. While many vendors have released patches for impacted devices, not all users have access to available updates.
Security researchers and consumers should verify patch availability directly with manufacturers. Until updates are deployed, users should disable Bluetooth when accessories are not in use and monitor for unauthorized pairing notifications.
Follow us on Google News, LinkedIn, and X to Get Instant Updates ancd Set GBH as a Preferred Source in Google.