USA

Google Fast Pair WhisperPair flaws allow Bluetooth device hijacking

NEWYou can now listen to Fox News articles!

Google designed Quick Pair to make Bluetooth connections fast and effortless. One touch replaces menus, codes and manual pairing. This convenience now brings serious risks. Security researchers at KU Leuven have uncovered flaws in Google’s Fast Pair protocol that allow devices to be compromised silently. They named the attack method WhisperPair. A nearby attacker can connect to headphones, headphones, or speakers without the owner’s knowledge. In some cases, the attacker can also track the user’s location. Even more worrying is that victims do not need to use Android or own any Google products. iPhone users were also affected.

Sign up for my FREE CyberGuy Report

Get my best tech tips, urgent safety alerts and special deals straight to your inbox. You’ll also get instant access to my Ultimate Scam Survival Guide — free when you join me CYBERGUY.COM bulletin.

APPLE WARNING THAT MILLIONS OF IPHONES WERE EXPOSED TO ATTACK

Quick Pairing speeds up connecting Bluetooth headsets, but researchers found that some devices accepted new pairings without proper authorization. (Kurt “CyberGuy” Knutsson)

What is WhisperPair and how does it hijack Bluetooth devices?

Fast Pair works by broadcasting a device’s ID to nearby phones and computers. This shortcut speeds up pairing. Researchers have found that many devices ignore a basic rule. They continue to accept new matches while already connected. This opens the door to abuse.

An attacker can silently pair with a device within Bluetooth range in about 10 to 15 seconds. Once connected, they can interrupt calls, transfer audio, or activate microphones. The attack requires no special hardware and can be performed using a standard phone, laptop or low-cost device such as a Raspberry Pi. According to researchers, the attacker actually becomes the owner of the device.

Audio brands affected by Fast Pair vulnerability

Researchers tested 17 Fast Pair compatible devices from major brands, including Sony, Jabra, JBL, Marshall, Xiaomi, Nothing, OnePlus, Soundcore, Logitech and Google. Most of these products have passed the Google certification test. This detail raises troubling questions about how security checks are performed.

How can headphones become tracking devices?

Some affected models pose an even bigger privacy issue. Select Google and Sony devices integrate with Find Hub, which uses nearby devices to estimate location. If the headset has not been linked to a Google account before, the attacker can first request it. This allows continuous monitoring of the user’s movements. If the victim later receives a tracking alert, it may appear to reference their own device. This makes it easy to dismiss the warning as an error.

RESEARCHER FOUND THAT GOOGLE NEST CONTINUED TO SEND DATA AFTER THE REMOTE CONTROL WAS DISCONNECTED

Dashboard showing the attacker’s location in the Find Hub network. (KU Leuven)

Why might many Fast Pair devices be vulnerable?

There is another problem that most users never consider. Headphones and speakers require firmware updates. These updates often come via brand-specific apps that most people never install. If you never download the app, you’ll never see the update. This means vulnerable devices could remain exposed for months or even years.

The only way to fix this vulnerability is to install a software update released by the device manufacturer. While many companies have released patches, updates may not yet be available for every affected model. Users should check directly with the manufacturer to verify whether a security update is available for their device.

Why does convenience continue to create vulnerabilities?

The problem wasn’t Bluetooth itself. The flaw lives in the layer of convenience that is built on top of it. Fast Pair prioritized speed over strict ownership enforcement. The researchers argue that matching should require cryptographic proof of ownership. Without this, convenience features become attack surfaces. Security and ease of use don’t have to conflict with each other. But they need to be designed together.

Google responds to Fast Pair WhisperPair security flaws

Google said it was working with researchers to fix the WhisperPair vulnerabilities and began sending recommended patches to headphone manufacturers in early September. Google also confirmed that its own Pixel headphones have now been patched.

In a statement to CyberGuy, a Google spokesperson said: “We appreciate collaborating with security researchers through our Vulnerability Bounty Program, which helps keep our users safe. We have worked with these researchers to fix these vulnerabilities and have seen no evidence of exploitation outside of the lab environment of this report. As a security best practice, we recommend users check their headsets for the latest firmware updates. We are constantly evaluating and improving Quick Pair and Find Hub security.”

Google says the underlying issue stems from some accessory manufacturers not following the Quick Pair specification exactly. This specification requires accessories to accept pairing requests only when the user intentionally puts the device into pairing mode. According to Google, failure to enforce this rule contributed to the audio and microphone risks researchers identified.

To reduce risk going forward, Google says it has updated its Fast Pairing Verifier and certification requirements to explicitly test whether devices properly implement pairing mode controls. Google also says it is providing fixes to accessory partners that aim to completely resolve all related issues once implemented.

On the location tracking side, Google says it’s rolling out a server-side fix that prevents accessories that haven’t been previously paired with an Android device from silently registering to the Find Hub network. According to the company, this change addresses the risk of Find Hub tracking in that specific scenario on all devices, including Google’s own accessories.

But researchers have raised questions about how quickly patches reach users and how much visibility Google has into real-world abuse that doesn’t involve Google hardware. They also argue that weaknesses in certification allow faulty practices to reach the market at scale, pointing to broader systemic problems.

For now, both Google and researchers agree on one important point. Users must install manufacturer firmware updates to be protected, and availability may vary by device and brand.

SMART HOME HACKING FEARS: WHAT IS REAL AND WHAT IS EXHAUSTED?

Unwanted tracking notification showing the victim’s own device. (KU Leuven)

How can you reduce your risk right now?

You can’t completely disable Quick Match, but you can reduce your exposure.

1) Check if your device is affected

If you use a Bluetooth accessory that supports Google Fast Pair, including wireless headphones, headphones, or speakers, you may be affected. Researchers have created a general search tool that allows you to search for your specific device model and see if it is vulnerable. Checking your device is a simple first step before deciding what actions to take. Visit whistlepair.eu/vulnerable-devices To see if your device is listed

2) Update your audio devices

Install the official app from the manufacturer of your headphone or speaker. Check for firmware updates and apply them immediately.

3) Avoid mating in public places

Pair new devices in private spaces. Avoid matching in airports, coffee shops or gyms where strangers are nearby.

4) If something goes wrong, factory reset

Unexpected audio interruptions, strange noises, or dropped connections are warning signs. Factory reset may remove unauthorized pairings but does not fix the underlying vulnerability. Firmware update still required.

5) Turn off Bluetooth when not needed

Bluetooth should only be on during active use. Turning off Bluetooth when not in use limits exposure but does not eliminate the underlying risk if the device remains unpatched.

6) Reset second-hand devices

Always perform a factory reset before pairing used headphones or speakers. This removes hidden links and account associations.

7) Take tracking warnings seriously

Look for Find Hub or Apple tracking alerts, even if they appear to reference your own device.

8) Keep your phone updated

Install operating system updates immediately. Platform patches can block exploits even if accessories are left behind.

Kurt’s important takeaways

WhisperPair shows how small shortcuts can lead to big privacy mistakes. The headphones feel harmless. However, they contain microphones, radios and software that require maintenance and updates. Ignoring these leaves a blind spot that attackers will be happy to exploit. Staying safe now means paying attention to devices you once took for granted.

Should companies be allowed to prioritize fast pairing over cryptographic proof of device ownership? Let us know by writing to us. cyberguy.com

CLICK TO DOWNLOAD FOX NEWS APPLICATION