Endpoint Security,
Internet of Things Security
‘WhisperPair’ Vulnerability Poised to Persist for Years
A recently disclosed vulnerability, known as “WhisperPair,” poses significant risks by allowing attackers to exploit flaws within Google’s Fast Pair technology, utilized in Bluetooth audio accessories. The vulnerability enables malicious actors to gain unauthorized access to devices such as headphones and earbuds, thus facilitating secret recording of conversations, location tracking, and manipulation of audio output.
Researchers at KU Leuven University in Belgium revealed this critical flaw, tracked as CVE-2025-36911. The security issue arises from the way various manufacturers implement Fast Pair, often permitting devices to connect even when not in active pairing mode. This oversight could lead to a successful attack in as little as ten seconds, at ranges exceeding 14 meters, without requiring physical access to the targeted devices.
The vulnerability affects a range of audio accessories produced by well-known brands, including Sony, Jabra, Soundcore, Logitech, and Google itself. Notably, software updates to a device’s operating system, including those on iOS, do not inherently mitigate the risks posed by WhisperPair, making manufacturer-issued patches essential for protection.
Upon successful pairing with an attacker’s device, an assailant can alter sound settings or activate the microphone of the victim’s headphones. KU Leuven researcher Sayon Duttagupta noted the risks associated with this vulnerability, emphasizing that an attacker could eavesdrop on conversations or introduce audio distractions in mere moments. Furthermore, accessories compatible with Google’s Find Hub geolocation feature could be co-opted as tracking devices, leading to subtle and prolonged surveillance.
While Google maintains it has yet to observe any active exploitation of WhisperPair in real-world scenarios, researchers express concerns regarding potential limitations in the current safeguards, suggesting that fixes can be circumvented. The communication timeline with Google indicated initial outreach occurred in August 2025, and a 150-day disclosure period followed. With firmware updates rarely applied to audio accessories, the WhisperPair vulnerability is anticipated to remain a concern for years to come.
In light of these revelations, business owners must remain vigilant. The incident underscores the importance of understanding the tactics and techniques that could be employed by malicious actors. Relevant adversarial tactics identified in the MITRE ATT&CK framework include initial access through unauthorized device pairing and persistence as attackers maintain long-term access to compromised devices. Prompt action in adopting cybersecurity measures is essential in mitigating such vulnerabilities.
