Several Bluetooth audio devices from companies like Sony, Anker, and Nothing are susceptible to a new flaw that can allow attackers to listen in on conversations or track devices that use Google’s Find Hub network, as reported by Wired.
Researchers from KU Leuven University’s Computer Security and Industrial Cryptography group in Belgium discovered several vulnerabilities in Google’s Fast Pair protocol that can allow a hacker within Bluetooth range to secretly pair with some headphones, earbuds, and speakers. The attacks, which the researchers have collectively dubbed WhisperPair, can even be used on iPhone users with affected Bluetooth devices despite Fast Pair being a Google-specific feature.
Fast Pair streamlines Bluetooth pairing and lets wireless audio accessories connect to Android or Chrome OS devices by simply tapping them together. But the researchers found that many devices don’t implement Fast Pair correctly, including a Google specification that says Fast Pair devices shouldn’t be able to connect to a new device while already paired to another.
The researchers tested their WhisperPair attacks on over two dozen Bluetooth devices and were successful in hacking 17 of them. They were able to play their own audio through the compromised headphones and speakers at any volume, intercept phone calls, and even eavesdrop on conversations using the devices’ microphones.
A more serious issue was found to affect five Sony products and Google’s Pixel Buds Pro 2. If the devices weren’t previously connected to an Android device and linked to a Google account (which isn’t required when using them with iPhones), WhisperPair could be used to pair and link them to a hacker’s Google account that would be recognized as the device’s owner. That would allow a hacker to use Google’s Find Hub network to track the user’s location and movements through their headphones, assuming smartphone notifications warning that a device was tracking them were dismissed as errors.
The researchers reported their findings to Google in August 2025. The company then recommended fixes to its “accessory OEM partners” in September and updated its certification requirements to mitigate similar issues going forward. “We worked with these researchers to fix these vulnerabilities, and we have not seen evidence of any exploitation outside of this report’s lab setting,” Google spokesperson Ed Fernandez says in a written statement to The Verge.
The recommended fixes resolve all the Fast Pair issues once a software update has been installed, but Google implemented an additional Find Hub network update to prevent WhisperPair from being used to track certain Bluetooth devices that haven’t been patched. The researchers told Wired it only took them a few hours to bypass that patch and continue their tracking. According to Fernandez, the researchers used “old/not updated accessory OEM firmware in order to execute their workaround,” and Google is “looking into the bypass for this additional fix,” which was only submitted earlier this week.
The Fast Pair feature can’t be disabled, so the only way to protect against WhisperPair attacks is for users to install firmware updates released by manufacturers that resolve the vulnerabilities. The Verge reached out to all the manufacturers with affected hardware to confirm the progress of fixes. Spenser Blank, the head of marketing & communications for OnePlus North America, told The Verge in a written statement that the company “takes all security reports seriously” and that it’s “currently investigating this matter and will take appropriate action to protect our users’ security and privacy.”
We will update this story as other companies respond.
