A vulnerability in the Google Fast Pair implementation of Bluetooth audio accessories can be exploited to force connections to attacker-controlled devices, academic researchers warn.
The critical-severity issue is tracked as CVE-2025-36911 and exists due to a logic error in the key-based pairing code, where devices fail to check if they are in pairing mode.
Google Fast Pair enables fast pairing and account synchronization with Bluetooth accessories such as earbuds, headphones, and speakers, all with a single tap.
The Fast Pair specification states that the pairing procedure should only be performed if the accessory is in pairing mode, but models from numerous brands do not check the pairing status of the device.
These improper implementations of Fast Pair open the door to a series of attacks dubbed WhisperPair, which allow attackers to take control of vulnerable accessories, academic researchers at the Computer Security and Industrial Cryptography group of Belgium’s KU Leuven University explain.
“WhisperPair enables attackers to forcibly pair a vulnerable Fast Pair accessory (e.g., wireless headphones or earbuds) with an attacker-controlled device (e.g., a laptop) without user consent,” the researchers say.
The security defect allows attackers within a range of up to 14 meters (~46 feet) to start the pairing process and “finish the Fast Pair procedure by establishing a regular Bluetooth pairing”, within seconds.
“This gives an attacker complete control over the accessory, allowing them to play audio at high volumes or record conversations using the microphone,” the academics note.
User tracking
According to the researchers, WhisperPair can also be used to track users, if their devices support Google’s Find Hub network and have never been paired with an Android device before.
When connecting to an accessory, the academics explain, Android devices write to it an Account Key used to establish ownership. Thus, the attacker is marked as the owner if the victim has never connected their accessory to an Android device.
Attackers can target vulnerable accessories to add them using their own Google accounts, and then track the devices to track their users.
“The victim may see an unwanted tracking notification after several hours or days, but this notification will show their own device. This may lead users to dismiss the warning as a bug, enabling an attacker to keep tracking the victim for an extended period,” the researchers say.
Vulnerable devices and patches
The academics note that multiple device models from various vendors are impacted, although they passed “the manufacturers’ quality assurance tests and Google’s certification process”.
“Insecure implementations still reached the market at scale. This shows a chain of compliance failures in Google Fast Pair, as the vulnerability failed to be detected on all three levels: implementation, validation, and certification,” the researchers note.
Google, Jabra, JBL, Logitech, Marshall, Nothing, OnePlus, Sony, Soundcore, and Xiaomi have vulnerable products on the market. In total, hundreds of millions of devices may be affected.
The researchers did not make the WhisperPair implementation publicly available, but notified Google of the bug in August 2025. The researchers received a $15,000 bug bounty reward for their findings.
This week, Google rolled out a fresh security update for Pixel devices to resolve the vulnerability.
According to the academic researchers, however, updating Android phones is not enough. Users also need to install the firmware patches that many manufacturers have already released for their accessories.
“Because Google Fast Pair cannot be disabled, the only way to prevent WhisperPair attacks is by performing a software update. Please consult your accessory’s manual for instructions on how to install a software update,” the researchers note.
Related: Critical Dolby Vulnerability Patched in Android
Related: Android Zero-Days Patched in December 2025 Security Update
Related: Android Update Patches Critical Remote Code Execution Flaw
Related: Pixnapping Attack Steals Data From Google, Samsung Android Phones
