A newly identified security vulnerability in Google’s Fast Pair technology threatens over a dozen popular audio devices, potentially allowing hackers to listen in on conversations, play unauthorized audio, or track users’ locations. This flaw, referred to as WhisperPair by researchers at KU Leuven University in Belgium, impacts at least 17 audio devices from 10 brands, including notable names such as Sony, JBL, Jabra, and Google itself.
The security issue arises from a failure in how certain products check their pairing status, enabling attackers within Bluetooth range—approximately 10–14 metres—to establish a connection in as little as 10–15 seconds. Once linked, a hacker could potentially interrupt ongoing audio, inject their own sounds, or activate the device’s microphone to eavesdrop on nearby conversations. In some instances, the attacker could also track the device’s location using Google’s Find Hub network.
While Google has patched its own Pixel Buds, many third-party products remain vulnerable until manufacturers release necessary firmware updates. The company was informed of the vulnerability in August 2023 and provided partners with recommended fixes in September 2023. Despite these measures, researchers have indicated they discovered workarounds for at least one of Google’s patches shortly after its release.
The challenge lies in user compliance with software updates. Many individuals often neglect to install the companion applications needed to update their headphones’ firmware. This oversight could leave numerous devices unprotected indefinitely. Security experts strongly advise users to install any available firmware updates from their device manufacturers, maintain the official app, and perform factory resets if they have concerns about security.
Google asserts it has not observed any instances of this vulnerability being exploited outside of laboratory conditions. The company has also enhanced its certification tools and protections within the Find Hub network. Nonetheless, the combination of this vulnerability and the slow uptake of updates raises significant concerns about user safety in an increasingly connected world.
