Researchers at KU Leuven have discovered a serious vulnerability in Google Fast Pair, a service that is widely used to quickly pair Bluetooth accessories. “By prioritizing ease of use, the industry has neglected the digital lock on the front door.”
Bluetooth earphones and headphones are designed to be effortless to open, tap and listen. It is precisely this ease of use that now appears to be a weak spot. And it’s been for a while: Fast Pair was introduced by Google in 2017 to make pairing Bluetooth devices easier, with automatic syncing to a Google account.
But according to the research by Cosic, the security group of KU Leuven, that design undermines fundamental security principles of Bluetooth. Many Fast Pair-certified accessories allow an attacker to establish a connection without the device explicitly being in pairing mode or the user consenting.
The researchers bundled their attacks under the name WhisperPair. These can be carried out within seconds and with standard hardware, at distances of up to about 14 meters.
Stalking
What does that mean in practice? The researchers demonstrate this with a number of scenarios. In such a first scenario, an attacker can take over the connection with a train passenger’s headphones in the vicinity. Audio can be interrupted or replaced, and the microphone can be activated silently to pick up ambient noise or conversations.
A second, more serious scenario revolves around stalking. Certain Fast Pair devices support Google’s Find Hub network. If such an accessory has never been linked to an Android device before, an attacker can register as the ‘owner’ and track the device – and therefore the user – for days. Warnings against unwanted tracking often only appear after 48 hours and are not very alarming to victims.
Two out of three devices vulnerable
The privacy issues don’t occur with all devices, but they do with most. COSIC tested 25 devices from 16 manufacturers, including JBL and Sony.
In 68 percent, the researchers succeeded in taking over the connection and abusing the microphone. “This is not a vulnerability in a cheap device, but a structural flaw in the entire Fast Pair ecosystem,” the researchers say.
Lack of cryptographic protection
The vulnerability is the result of an over-reliance on software-level checks rather than cryptographic protection. “The Fast Pair specification expects the device’s firmware to check whether the pairing mode is enabled,” the researchers said. “However, this verification is often implemented incorrectly by manufacturers of Bluetooth accessories.”
As a solution, the researchers propose IntentPair, a modification in which only a physical action by the user (such as pressing a button) can cryptographically confirm that pairing is allowed.
Risk for hundreds of millions of users
Google has now classified the vulnerability (with reference CVE-2025-36911) as critical and is working with manufacturers on updates, which will be rolled out from January 2026. For users, the advice remains simple but essential for the time being: install firmware updates of Bluetooth accessories as soon as they are available.
Although COSIC is also quite harsh in their judgment. “An additional service designed to make it easier to pair Bluetooth accessories has introduced large-scale security and privacy risks for hundreds of millions of users,” they state. “By prioritizing ease of use, the industry has neglected the digital lock on the front door. Because security is only robust if it is linked to cryptographic protection.’
