CyberHappenings logo
Home Browse Watchlists Experimental About

Track cybersecurity events as they unfold. Sourced timelines. Filter, sort, and browse. Fast, privacy‑respecting. No invasive ads, no tracking.

WhisperPair Vulnerability in Google's Fast Pair Protocol

First reported
Last updated
1 unique sources, 2 articles

Summary

Hide ▲

A critical flaw (CVE-2025-36911, WhisperPair) in Google's Fast Pair protocol allows attackers to hijack Bluetooth audio devices, track users, and eavesdrop on conversations. The vulnerability affects hundreds of millions of devices from multiple manufacturers, regardless of the user's smartphone operating system. The flaw stems from improper implementation of the Fast Pair protocol in audio accessories, enabling unauthorized pairing and control. Attackers can exploit this using any Bluetooth-capable device within 14 meters. After pairing, they gain complete control over the audio device, enabling them to blast audio at high volumes or eavesdrop on users' conversations through the device's microphone. Google awarded a $15,000 bounty and worked with manufacturers to release patches, but updates may not be available for all devices. The only defense against attackers hijacking vulnerable Fast Pair-enabled Bluetooth accessories is installing firmware updates from device manufacturers.

Timeline

  1. 15.01.2026 18:13 2 articles · 23h ago

    WhisperPair Vulnerability in Google's Fast Pair Protocol Disclosed

    Security researchers discovered a critical flaw (CVE-2025-36911, WhisperPair) in Google's Fast Pair protocol that allows attackers to hijack Bluetooth audio devices, track users, and eavesdrop on conversations. The vulnerability affects hundreds of millions of devices from multiple manufacturers. The flaw stems from the improper implementation of the Fast Pair protocol in many flagship audio accessories, allowing unauthorized devices to initiate pairing without user consent. Attackers can exploit this using any Bluetooth-capable device within 14 meters. After pairing, they gain complete control over the audio device, enabling them to blast audio at high volumes or eavesdrop on users' conversations through the device's microphone. Google awarded a $15,000 bounty and worked with manufacturers to release patches during a 150-day disclosure window. However, updates may not be available for all devices. The only defense against attackers hijacking vulnerable Fast Pair-enabled Bluetooth accessories is installing firmware updates from device manufacturers.

    Show sources
    Open in new tab

Information Snippets

Similar Happenings

Bring Your Own Car (BYOC) Attack Demonstrated

Researchers demonstrated a proof-of-concept (PoC) attack chain that started in a parked car and ended in corporate Linux servers and ESXi hypervisors. The attack exploited the connection between a driver's phone and the car's Bluetooth system, using it as an initial access vector into the corporate network. The attack was demonstrated at BSides NYC on October 18, 2025, by Threatlight CTO Tim Shipp. The attack required only a few cheap gadgets and exploited a brief window when the driver connected their phone to the car's head unit. The attacker used a FlipperZero hacking multitool to spoof the car's Bluetooth signal and establish a connection to the phone. From there, the attacker gained access to the corporate network when the phone connected to it. The attack highlights the risks associated with bring-your-own-device (BYOD) policies and the need for comprehensive security measures that cover all potential entry points.

Open in new tab

Unpatched Apple CarPlay RCE Exploit in Most Vehicles

A zero-click remote code execution (RCE) vulnerability in Apple CarPlay (CVE-2025-24132) remains unpatched in most vehicles nearly half a year after the patch was released. The vulnerability allows attackers to gain control over CarPlay with minimal user interaction. The issue affects vehicles that use CarPlay and have not applied the patch released in April 2025. The vulnerability can be exploited via USB, Wi-Fi, or Bluetooth connections. Attackers can gain access to CarPlay by exploiting weak or default passwords and using Bluetooth pairing methods that lack proper security measures. The exploit leverages the iAP2 protocol, which authenticates only in one direction, allowing attackers to masquerade as legitimate devices. The impact of the vulnerability includes potential spying on drivers, eavesdropping on conversations, and distracting drivers while on the road. The automotive industry's slow update cycles and lack of standardization contribute to the delay in patching this vulnerability.

Open in new tab

Sni5Gect Attack Framework Enables 5G Downgrade and Modem Crashes

A team of academics from the Singapore University of Technology and Design (SUTD) has developed a new attack framework, Sni5Gect, that can downgrade 5G connections to 4G and crash phone modems. The attack leverages unencrypted messages exchanged during the initial connection process, bypassing the need for a rogue base station. The framework has been tested successfully against multiple smartphone models, demonstrating high accuracy in sniffing and injecting malicious payloads. The Global System for Mobile Communications Association (GSMA) has acknowledged the attack and assigned it the identifier CVD-2024-0096. The Sni5Gect toolkit enables passive sniffing and stateful injection, providing a new vector for 5G security research and exploitation.

Open in new tab