"As first reported by Wired, WhisperPair was uncovered by a team of researchers from Belgium's KU Leuven University, supported by the government's Cybersecurity Research Program. The findings relate to the improper implementation of Google's Fast Pair protocol, which enables one-tap pairing and account synchronization across Bluetooth accessories. If the protocol hasn't been implemented correctly, a security flaw is introduced that "allows an attacker to hijack devices and track victims using Google's Find Hub network," according to the researchers."
"The vulnerability research was reported to Google privately in August 2025 and was issued a critical rating under CVE-2025-36911. A 150-day disclosure window was agreed and a bug bounty of $15,000 was awarded. WhisperPair occurs because many audio accessories skip a "critical step" during Fast Pair pairing. This is how it works: a "seeker" -- such as a Bluetooth-enabled mobile device -- sends a message to the "provider," an audio accessory. The message includes a pairing request."
Researchers from KU Leuven and the government's Cybersecurity Research Program identified WhisperPair, vulnerabilities caused by improper implementations of Google's Fast Pair. The flaws can allow attackers to hijack and track audio accessories via Google's Find Hub network, take over devices, tamper with controls, and potentially listen to conversations. The issue stems from many accessories skipping a required verification step during Fast Pair, where a "seeker" device sends a pairing request to a "provider" accessory. The research was reported to Google in August 2025, received a critical CVE-2025-36911 rating, and was handled under a 150-day disclosure window with a $15,000 bug bounty. Many vendors released patches, but some devices remain vulnerable.
Read at ZDNET
Unable to calculate read time
Collection
[
|
...
]