A new vulnerability is leaving millions of earbuds and headphones open to audio hijacking
Security researchers urge users to patch their devices to prevent silent tracking.
We all love how Google Fast Pair makes connecting new headphones feel like magic, but that same convenience has a dark side. A new report reveals a vulnerability that could let hackers track you or hijack your audio, meaning it’s time to check your earbuds for an update.
Researchers at KU Leuven in Belgium have uncovered a significant flaw in the way many Bluetooth accessories handle Google’s Fast Pair protocol. They’ve dubbed the collection of vulnerabilities "WhisperPair," and it affects a wide range of popular devices from big names like Sony, JBL, Marshall, Xiaomi, and Nothing.
Essentially, the "magic" that allows your phone to instantly recognize and pair with your earbuds can be exploited. Because the protocol is designed to be ultra-friendly and quick, it doesn't always demand the strict authentication it should. The researchers found that an attacker within Bluetooth range—about 50 feet—could silently pair with your device without you ever knowing.
The researchers tested 19 different devices that use the vulnerable chipset (mostly from Airoha Technology) and found issues with 17 of them. The brands specifically named as having vulnerable models include:
This situation really just highlights the classic tug-of-war between convenience and security. Fast Pair was Google’s answer to Apple’s seamless AirPods experience, and it has been a game-changer for the Android ecosystem. It turned a clunky, multi-step Bluetooth pairing process into a single tap. But as we are learning, that ease of access can leave a back door open if not carefully managed.
This isn't just about someone playing a prank by blasting music through your headphones. The privacy implications of being tracked or having your microphone hijacked are real, even if the attacker needs to be relatively close by. It affects hundreds of millions of devices, meaning there is a good chance you or someone you know owns a vulnerable pair.
The tricky part here is the "fix" process. Unlike your phone, which bugs you to install system updates, most people rarely open the companion app for their headphones. This means millions of users might stay vulnerable simply because they don't know an update is waiting for them.
I’ll be the first to admit: I almost never open the companion apps for my earbuds once I’ve set up the EQ. But this report is a solid wake-up call that our accessories are mini-computers that need maintenance too.
My advice? Don't panic, but do take action. If you have headphones from any of the aforementioned affected brands, download their official app and check for a firmware update immediately. It’s a five-minute process that ensures your private conversations stay private.
I still think Fast Pair is one of the best features on Android, and I wouldn't stop using it because of this. Every technology has growing pains, and the fact that researchers caught this—and patches are coming—is the system working as intended. Just remember: smart devices stay smart only if you keep them updated.
How the 'WhisperPair' exploit hijacks your headphones
Researchers at KU Leuven in Belgium have uncovered a significant flaw in the way many Bluetooth accessories handle Google’s Fast Pair protocol. They’ve dubbed the collection of vulnerabilities "WhisperPair," and it affects a wide range of popular devices from big names like Sony, JBL, Marshall, Xiaomi, and Nothing.
Once connected, they could potentially play audio through your speakers, record from your microphone, or even track your location. The root of the issue seems to stem from Bluetooth chips made by Airoha and others, which prioritize that snappy connection speed over security checks.
The good news is that fixes are already in the works. Chipmakers have issued updated software to manufacturers, and firmware updates are starting to roll out to patch the hole.
Affected Brands
- Sony
- JBL
- Marshall
- Xiaomi
- Nothing
- Libratone
- Razer
- OnePlus
- Realme
You can see a more comprehensive list and look up the model of your own earbuds/headphones here.
The risks: stalking, spying, and millions of affected devices
Video demonstrating how a Fast Pair device can be easily hijacked. | Video credit — COSIC (Computer Security and Industrial Cryptography)
This isn't just about someone playing a prank by blasting music through your headphones. The privacy implications of being tracked or having your microphone hijacked are real, even if the attacker needs to be relatively close by. It affects hundreds of millions of devices, meaning there is a good chance you or someone you know owns a vulnerable pair.
It's worth mentioning that Google has been working with the researchers to fix the issue since August, which has been logged as "critical".
We worked with these researchers to fix these vulnerabilities, and we have not seen evidence of any exploitation outside of this report’s lab setting...we are constantly evaluating and enhancing Fast Pair and Find Hub security.
— Google spokesperson
Don't panic, but do update your firmware
I’ll be the first to admit: I almost never open the companion apps for my earbuds once I’ve set up the EQ. But this report is a solid wake-up call that our accessories are mini-computers that need maintenance too.
I still think Fast Pair is one of the best features on Android, and I wouldn't stop using it because of this. Every technology has growing pains, and the fact that researchers caught this—and patches are coming—is the system working as intended. Just remember: smart devices stay smart only if you keep them updated.
Follow us on Google News
FCC OKs Cingular\'s purchase of AT&T Wireless
Things that are NOT allowed:
To help keep our community safe and free from spam, we apply temporary limits to newly created accounts: