A newly discovered vulnerability named WhisperPair can turn Bluetooth headphones and headsets from many well-known brands into personal tracking beacons โ regardless of whether the accessories are currently connected to an iPhone, Android smartphone, or even a laptop. Even though the technology behind this flaw was originally developed by Google for Android devices, the tracking risks are actually much higher for those using vulnerable headsets with other operating systems โ like iOS, macOS, Windows, or Linux. For iPhone owners, this is especially concerning.
Connecting Bluetooth headphones to Android smartphones became a whole lot faster when Google rolled out Fast Pair, a technology now used by dozens of accessory manufacturers. To pair a new headset, you just turn it on and hold it near your phone. If your device is relatively modern (produced after 2019), a pop-up appears inviting you to connect and download the accompanying app, if it exists. One tap, and youโre good to go.
Unfortunately, it seems quite a few manufacturers didnโt pay attention to the particulars of this tech when implementing it, and now their accessories can be hijacked by a strangerโs smartphone in seconds โ even if the headset isnโt actually in pairing mode. This is the core of the WhisperPair vulnerability, recently discovered by researchers at KU Leuven and recorded as CVE-2025-36911.
The attacking device โ which can be a standard smartphone, tablet or laptop โ broadcasts Google Fast Pair requests to any Bluetooth devices within a 14-meter radius. As it turns out, a long list of headphones from Sony, JBL, Redmi, Anker, Marshall, Jabra, OnePlus, and even Google itself (the Pixel Buds 2) will respond to these pings even when they arenโt looking to pair. On average, the attack takes just 10 seconds.
Once the headphones are paired, the attacker can do pretty much anything the owner can: listen in through the microphone, blast music, or โ in some cases โ locate the headset on a map if it supports Google Find Hub. That latter feature, designed strictly for finding lost headphones, creates a perfect opening for stealthy remote tracking. And hereโs the twist: itโs actually most dangerous for Apple users and anyone else rocking non-Android hardware.
When headphones or a headset first shake hands with an Android device via the Fast Pair protocol, an owner key tied to that smartphoneโs Google account is tucked away in the accessoryโs memory. This info allows the headphones to be found later by leveraging data collected from millions of Android devices. If any random smartphone spots the target device nearby via Bluetooth, it reports its location to the Google servers. This feature โ Google Find Hub โ is essentially the Android version of Appleโs Find My, and it introduces the same unauthorized tracking risks as a rogue AirTag.
When an attacker hijacks the pairing, their key can be saved as the headset ownerโs key โ but only if the headset targeted via WhisperPair hasnโt previously been linked to an Android device and has only been used with an iPhone, or other hardware like a laptop with a different OS. Once the headphones are paired, the attacker can stalk their location on a map at their leisure โ crucially, anywhere at all (not just within the 14-meter range).
Android users whoโve already used Fast Pair to link their vulnerable headsets are safe from this specific move, since theyโre already logged in as the official owners. Everyone else, however, should probably double-check their manufacturerโs documentation to see if theyโre in the clear โ thankfully, not every device vulnerable to the exploit actually supports Google Find Hub.
The only truly effective way to fix this bug is to update your headphonesโ firmware, provided an update is actually available. You can typically check for and install updates through the headsetโs official companion app. The researchers have compiled a list of vulnerable devices on their site, but itโs almost certainly not exhaustive.
After updating the firmware, you absolutely must perform a factory reset to wipe the list of paired devices โ including any unwanted guests.
If no firmware update is available and youโre using your headset with iOS, macOS, Windows, or Linux, your only remaining option is to track down an Android smartphone (or find a trusted friend who has one) and use it to reserve the role of the original owner. This will prevent anyone else from adding your headphones to Google Find Hub behind your back.
In January 2026, Google pushed an Android update to patch the vulnerability on the OS side. Unfortunately, the specifics havenโt been made public, so weโre left guessing exactly what they tweaked under the hood. Most likely, updated smartphones will no longer report the location of accessories hijacked via WhisperPair to the Google Find Hub network. But given that not everyone is exactly speedy when it comes to installing Android updates, itโs a safe bet that this type of headset tracking will remain viable for at least another couple of years.
Want to find out how else your gadgets might be spying on you? Check out these posts:
We identified remote code execution vulnerabilities in open-source AI/ML libraries published by Apple, Salesforce and NVIDIA.
The post Remote Code Execution With Modern AI/ML Formats and Libraries appeared first on Unit 42.
David Fletcher // Recently we were involved in an engagement where we expected to see a large number of Macs in the target environment. As an element of the engagement [โฆ]
The post How to Phish for Geniuses appeared first on Black Hills Information Security, Inc..
BBKing // So Iโm working the other day, and my wife asks me why the TV is on. I donโt know. I didnโt turn it on. But itโs near my [โฆ]
The post AppleTV & nmap -sV appeared first on Black Hills Information Security, Inc..
Lawrence Hoffmann // So, Apple announced a new bug bounty program at BlackHat, and there are some interesting deviations from the norm in their plan to implement and pay out. [โฆ]
The post Lawrenceโs List 081216 appeared first on Black Hills Information Security, Inc..
Login
