January 15, 2026 By Sergiu Gatlan
Security researchers have discovered a critical vulnerability in Google's Fast Pair protocol that can allow attackers to hijack Bluetooth audio accessories, track users, and eavesdrop on their conversations.
The flaw (tracked as CVE-2025-36911 and dubbed WhisperPair) affects hundreds of millions of wireless headphones, earbuds, and speakers from multiple manufacturers that support Google's Fast Pair feature. It affects users regardless of their smartphone operating system because the flaw lies in the accessories themselves, meaning that iPhone users with vulnerable Bluetooth devices are equally at risk.
Researchers with KU Leuven's Computer Security and Industrial Cryptography group who discovered it explain that the vulnerability stems from the improper implementation of the Fast Pair protocol in many flagship audio accessories.
Although the Fast Pair specification says that Bluetooth devices should ignore pairing requests when not in pairing mode, many vendors have not enforced this check in their products, allowing unauthorized devices to initiate pairing without the user's consent or knowledge.
"To start the Fast Pair procedure, a Seeker (a phone) sends a message to the Provider (an accessory) indicating that it wants to pair. The Fast Pair specification states that if the accessory is not in pairing mode, it should disregard such messages," the researchers said.