Security Advisories Bluetooth
Critical Bluetooth CVE-2025-36911
WhisperPair CVE-2025-36911 — Bluetooth Headphone Hijack via Google Fast Pair

WhisperPair CVE-2025-36911 — Bluetooth Headphone Hijack via Google Fast Pair

WhisperPair exploits Google Fast Pair's lack of re-authentication to hijack Bluetooth headphones. An attacker within BLE range can pair with already-paired headphones, intercept audio, and inject voice commands without the victim's knowledge.

Published: 16 January 2026 Updated: 16 January 2026

Affected Systems

  • Bluetooth headphones/earbuds supporting Google Fast Pair
  • Android devices with Fast Pair enabled
  • ChromeOS devices with Fast Pair enabled
  • Selected Sony, JBL, Anker, Nothing, OnePlus, and Xiaomi audio devices

Technical Overview

WhisperPair (CVE-2025-36911) is a Bluetooth vulnerability in Google Fast Pair’s implementation discovered by security researcher Marc Newlin at SkySafe. Google Fast Pair is designed to streamline Bluetooth pairing across Android and ChromeOS devices using BLE advertisements and a cloud-based proximity system.

The flaw: Fast Pair does not enforce re-authentication when an already-paired device reconnects. An attacker within BLE range can impersonate a previously paired device, hijack the audio stream, and inject arbitrary audio — including voice commands to trigger the victim’s voice assistant. No user interaction is required on the victim’s end once the initial pairing has occurred.

Attack Flow

  1. Reconnaissance — The attacker scans for Bluetooth devices advertising Google Fast Pair service (identifiable by BLE advertisement packets containing the Fast Pair provider data).

  2. Impersonation — Using a Bluetooth adapter and custom tooling, the attacker crafts a connection request that mimics a previously paired Fast Pair device (e.g., the victim’s own earbuds connecting back to their phone).

  3. Reconnection Bypass — The victim’s phone or Chromebook accepts the connection because Fast Pair caches device credentials and skips re-authentication for known devices.

  4. Audio Hijack — Once connected, the attacker’s device registers as an audio sink. The victim’s device routes audio output to the attacker. The attacker can now:

    • Listen to the victim’s calls and media
    • Capture audio from the victim’s microphone
    • Inject audio frames into the stream
  5. Voice Assistant Injection — The attacker sends synthesised audio containing “Hey Siri”, “OK Google”, or similar trigger phrases. The victim’s phone executes the command — potentially making calls, reading messages, or navigating to phishing sites.

  6. Persistence — The connection remains active until the victim manually disconnects or walks out of BLE range (~100 metres with directional antenna). The attacker can reconnect at will if the victim stays in range.

Affected Systems

Device TypeStatusNotes
Android 13+ with Fast PairVulnerableNo re-auth on reconnect
ChromeOS devicesVulnerableSame Fast Pair implementation
Sony WH-1000XM5ConfirmedFast Pair enabled by default
JBL Tune seriesLikelyUses Google Fast Pair
Nothing Ear (1, 2)LikelyFast Pair supported
OnePlus BudsLikelyFast Pair supported
Xiaomi BudsLikelyFast Pair supported
iOS devicesNot affectedDoes not implement Google Fast Pair
Windows devicesNot affectedNo Fast Pair support

Impact

  • Audio eavesdropping — Attacker listens to private calls and media
  • Credential theft — Voice assistant commands can open phishing pages or trigger calls to premium numbers
  • Physical proximity attack only — Attacker must be within BLE range
  • No user interaction needed — Exploit triggers automatically when victim is in range
  • Wide device base — Fast Pair is shipped on millions of Android phones, Chromebooks, and accessories globally

Mitigation

  1. Disable Google Fast Pair — On Android: Settings > Google > Devices & sharing > Fast Pair > Toggle off. On ChromeOS: Settings > Connected devices > Fast Pair > Disable.

  2. Forget paired devices — After using Fast Pair headphones, go to Bluetooth settings and select “Forget” to remove the pairing credentials.

  3. Use Bluetooth toggle — Turn off Bluetooth when not actively using audio devices. This prevents any BLE connection attempts.

  4. Monitor for unexpected connections — Check Bluetooth settings periodically for unknown paired devices.

  5. Apply security patches — Google released a fix in the January 2026 Android Security Bulletin. Ensure your device is updated.

  6. Do not use Fast Pair in sensitive environments — Disable Fast Pair when in public spaces, conference rooms, or during sensitive calls.

Timeline

  • 2025-10-14: Vulnerability reported to Google by Marc Newlin (SkySafe)
  • 2026-01-13: Google acknowledges the issue, assigns CVE-2025-36911
  • 2026-01-16: Public disclosure at BSides San Diego by Marc Newlin
  • 2026-01-16: Fix released in Android January 2026 Security Bulletin
  • 2026-01-16: This advisory published

References

Prevention Checklist

  • Disable Google Fast Pair in Android/ChromeOS settings
  • Forget Fast Pair headphones from Bluetooth settings after use
  • Turn off Bluetooth when not actively using audio
  • Apply Android January 2026 security patch
  • Audit paired Bluetooth devices periodically
  • Avoid Fast Pair in sensitive/corporate environments

Advisory Details

Severity Critical
Category Bluetooth
CVE ID CVE-2025-36911
Published 16 Jan 2026

Need help securing your systems?

Our cybersecurity team provides vulnerability assessments, penetration testing, and security architecture consulting for Indian businesses.

Consult a Security Expert
WhatsApp