Google’s Fast Pair protocol delivers one of the best Bluetooth experiences you’ll find today, automatically pairing wireless earbuds, speakers, and other accessories and sharing those details across your account. Unfortunately, a new paper reveals some pretty serious security concerns with some Fast Pair devices, and you’ll need to update each of your gadgets individually to fix it.
Researchers at Belgium’s KU Leuven University released their findings on a group of Fast Pair vulnerabilities they’re calling WhisperPair. These holes were initially reported to Google back in August of 2025, after which these issues were marked as critical and given a 150-day disclosure window in order to keep users as safe as possible. Although it doesn’t sound like most users are at risk of WhisperPair at the moment, it’s worth learning about how it works.
Through WhisperPair, attackers can utilize any Bluetooth-capable device — from a laptop to a Raspberry Pi — to target a vulnerable device, pairing remotely without ever having to physically interact with your phone, earbuds, or anything else. The security hole spawns from accessories that skip a crucial part of the pairing process: detecting whether or not the product is actively in pairing mode. If this check isn’t included in the product’s software, hackers can remotely begin pairing with the product, and the only way anyone would know is through a potential “unwanted tracking” notification that, unfortunately, shows the user’s own device as the source.
The flaw stems from many accessories failing to enforce a critical step in the pairing process. To start the Fast Pair procedure, a Seeker (a phone) sends a message to the Provider (an accessory) indicating that it wants to pair. The Fast Pair specification states that if the accessory is not in pairing mode, it should disregard such messages. However, many devices fail to enforce this check in practice, allowing unauthorised devices to start the pairing process. After receiving a reply from the vulnerable device, an attacker can finish the Fast Pair procedure by establishing a regular Bluetooth pairing.
Not every Fast Pair accessory is capable of being hijacked through these methods, but the ones that are vulnerable give a potential hacker a lot of leverage to work with. Location tracking via Find Hub, audio playback disruption, and phone call and ambient recording are just some of the threats afflicted devices are facing here. These risks even extend beyond Android to iOS, because it’s the Fast Pair-enabled accessory that’s targeted, and not your specific phone.
Some of the products currently listed on WhisperPair’s list of affected devices include Sony’s WH-1000XM6 headphones, (as well as their two predecessors, the XM5s and XM4s, and Sony’s earbud counterparts), Nothing’s Ear (a), the OnePlus Nord Buds 3 Pro, and Google’s own Pixel Buds Pro 2.
WhisperPair’s official website — as well as an in-depth report from Wired — dive much deeper into how all of this works, and I definitely suggest checking out both if you’re concerned about your own Fast Pair-compatible accessories. In the meantime, these researchers suggest keeping your Fast Pair-supported gadgets up to date with any patches, since there’s no actual way for end users to disable this functionality themselves.
FTC: We use income earning auto affiliate links. More.
Comments