WhisperPair Vulnerability in Google's Fast Pair Protocol
Summary
Hide ▲
Show ▼
A critical flaw (CVE-2025-36911, WhisperPair) in Google's Fast Pair protocol allows attackers to hijack Bluetooth audio devices, track users, and eavesdrop on conversations. The vulnerability affects hundreds of millions of devices from multiple manufacturers, regardless of the user's smartphone operating system. The flaw stems from improper implementation of the Fast Pair protocol in audio accessories, enabling unauthorized pairing and control. Attackers can exploit this using any Bluetooth-capable device within 14 meters. Google awarded a $15,000 bounty and worked with manufacturers to release patches, but updates may not be available for all devices.
Timeline
-
15.01.2026 18:13 1 articles · 3h ago
WhisperPair Vulnerability in Google's Fast Pair Protocol Disclosed
Security researchers discovered a critical flaw (CVE-2025-36911, WhisperPair) in Google's Fast Pair protocol that allows attackers to hijack Bluetooth audio devices, track users, and eavesdrop on conversations. The vulnerability affects hundreds of millions of devices from multiple manufacturers. Google awarded a $15,000 bounty and worked with manufacturers to release patches during a 150-day disclosure window. However, updates may not be available for all devices.
Show sources
- Critical flaw lets hackers track, eavesdrop via Bluetooth audio devices — www.bleepingcomputer.com — 15.01.2026 18:13
Information Snippets
-
The WhisperPair vulnerability affects Bluetooth audio devices supporting Google's Fast Pair feature, including headphones, earbuds, and speakers.
First reported: 15.01.2026 18:131 source, 1 articleShow sources
- Critical flaw lets hackers track, eavesdrop via Bluetooth audio devices — www.bleepingcomputer.com — 15.01.2026 18:13
-
The flaw allows attackers to forcibly pair with vulnerable devices and gain control, enabling eavesdropping and audio playback.
First reported: 15.01.2026 18:131 source, 1 articleShow sources
- Critical flaw lets hackers track, eavesdrop via Bluetooth audio devices — www.bleepingcomputer.com — 15.01.2026 18:13
-
Attackers can track victims' locations using Google's Find Hub network if the device has never been paired with an Android device.
First reported: 15.01.2026 18:131 source, 1 articleShow sources
- Critical flaw lets hackers track, eavesdrop via Bluetooth audio devices — www.bleepingcomputer.com — 15.01.2026 18:13
-
The vulnerability affects users regardless of their smartphone operating system, including iPhone users.
First reported: 15.01.2026 18:131 source, 1 articleShow sources
- Critical flaw lets hackers track, eavesdrop via Bluetooth audio devices — www.bleepingcomputer.com — 15.01.2026 18:13
-
Google awarded a $15,000 bounty and worked with manufacturers to release patches during a 150-day disclosure window.
First reported: 15.01.2026 18:131 source, 1 articleShow sources
- Critical flaw lets hackers track, eavesdrop via Bluetooth audio devices — www.bleepingcomputer.com — 15.01.2026 18:13
-
Disabling Fast Pair on Android phones does not prevent the attack, as the feature cannot be disabled on the accessories themselves.
First reported: 15.01.2026 18:131 source, 1 articleShow sources
- Critical flaw lets hackers track, eavesdrop via Bluetooth audio devices — www.bleepingcomputer.com — 15.01.2026 18:13