A vulnerability in Google Fast Pair makes hundreds of millions of Bluetooth earbuds and headphones easy prey for hackers, researchers at KU Leuven have discovered.
Do you use wireless headphones or earbuds to make calls and listen to music on the go? While the intention of headphones is precisely to isolate you from the outside world, someone may have already been listening in. Computer scientists from KU Leuven are exposing a critical vulnerability in a widely used Bluetooth protocol from Google.
The vulnerabilities are specifically in Fast Pair. This feature, which is built into Android and ChromeOS, allows you to connect your wireless devices to your smartphone with a simple tap. The feature was introduced by Google to reduce the hassle of Bluetooth connections, but that ease of use comes with risks.
read also
3 ways to quickly connect bluetooth devices to your PC
Listening in
Researchers at COSIC, the Department of Computer Security and Cryptography at KU Leuven, discovered that Fast Pair can be abused to listen in on wireless headphones. The vulnerability is named WhisperPair, officially CVE-2025-36911, and affects millions of earbuds and headphones from popular manufacturers. Approximately two out of three headphones tested were found to be susceptible, including devices that have gone through Google’s certification process.
The Fast Pair feature makes it possible to connect your headphones to your smartphone with a simple tap, without having to open the Bluetooth menu. This is normally only possible for trusted devices. An attacker within Bluetooth range can easily connect their own device via the function, without you noticing anything.
This is because headphone manufacturers do not apply the protocol properly and approve the connection request without checking whether you have pressed the button, Professor Bart Preneel explains in De Morgen. In just a few seconds, the hacker takes control of your headphones.
From then on, telephone conversations can be recorded, among other things, or an attacker can even stalk you via Google’s Find My network. The vulnerability has been passed on to Google and a patch should now be available for most devices. Check your headphones for updates and install them as soon as possible.