WhisperPair Vulnerability: Millions of Bluetooth Devices at Risk
TL;DR
- A critical vulnerability named WhisperPair has been found in Google's Fast Pair protocol, impacting millions of Bluetooth audio devices from major brands. Attackers can exploit this flaw to eavesdrop on conversations, track user locations, and play audio without consent. Users should immediately check for and install firmware updates from manufacturers to protect their devices.
Critical Vulnerability: WhisperPair Attack on Google Fast Pair Devices
A significant security flaw, dubbed WhisperPair, has been discovered in Google's Fast Pair protocol, impacting millions of Bluetooth audio devices. This vulnerability allows attackers to hijack devices, potentially eavesdrop on conversations, and track user locations. The flaw affects a wide range of devices, including those from Sony, JBL, and Xiaomi.
Technical Details of the WhisperPair Vulnerability
The vulnerability, tracked as CVE-2025-36911, stems from the improper implementation of the Fast Pair protocol. According to researchers at KU Leuven's Computer Security and Industrial Cryptography group, the Fast Pair specification requires Bluetooth devices to ignore pairing requests when not in pairing mode. However, many vendors have failed to enforce this check. This oversight allows unauthorized devices to initiate pairing without user consent.
The researchers explained that a "Seeker" (e.g., a phone) sends a message to the "Provider" (e.g., an accessory) to initiate pairing. The specification states that if the accessory is not in pairing mode, it should disregard such messages. Attackers can exploit this by using any Bluetooth-capable device to forcibly pair with vulnerable accessories.
Attack Vectors and Potential Risks
Attackers can exploit the WhisperPair flaw using devices like laptops or even a Raspberry Pi to pair with vulnerable accessories from various manufacturers, including Google, Jabra, JBL, Logitech, Marshall, Nothing, OnePlus, Sony, Soundcore, and Xiaomi. The attack range extends up to 14 meters and can be executed within seconds without user interaction.
Successful exploitation grants attackers control over the audio device, enabling them to:
- Play audio at high volumes
- Eavesdrop on conversations through the device's microphone
- Track the victim's location using Google's Find Hub network if the accessory hasn't been paired with an Android device.
Detection Challenges and User Confusion
One of the critical challenges of WhisperPair is its stealth. Victims might receive an "unwanted tracking" notification, but it will display their own hijacked accessory, potentially leading them to dismiss it as a bug. This misinterpretation allows attackers to maintain their covert connection for extended periods.
Vendor Responses and Patch Availability
Google awarded the researchers $15,000, the maximum possible bounty, and coordinated with manufacturers to release security patches. However, updates may not yet be available for all vulnerable devices.
Some vendors have confirmed patches for specific models:
- Google: Pixel Buds Pro 2 (Patched)
- Jabra: Elite 8 Active (Patched)
- Logitech: Various (Patched)
- JBL (Harman): Various (Patch "coming in weeks")
Sony and Marshall had no public comment at the time of reporting.
User Recommendations and Mitigation Strategies
The only defense against WhisperPair attacks is installing firmware updates from device manufacturers. Disabling Fast Pair on Android phones does not prevent the attack, as the feature cannot be disabled on the accessories themselves.
Users should:
- Immediately check for firmware updates via the companion app or support website for their specific device model.
- Apply available patches without delay.
- Remain aware of the potential risk for devices awaiting a fix.
Gopher Security's Zero-Trust Architecture
In light of vulnerabilities like WhisperPair, Gopher Security emphasizes the importance of a Zero-Trust cybersecurity architecture. Our AI-powered platform converges networking and security across devices, apps, and environments. By utilizing peer-to-peer encrypted tunnels and quantum-resistant cryptography, Gopher Security ensures robust protection against potential threats, mitigating risks associated with compromised devices and unauthorized access. Gopher Security offers a comprehensive solution that secures your digital infrastructure from endpoints to the cloud.
Take Action Now
Ensure your organization is protected against emerging threats. Explore Gopher Security's Zero-Trust solutions and contact us to learn how we can help you fortify your cybersecurity defenses.
