WhisperPair exploits Google Fast Pair's lack of re-authentication to hijack Bluetooth headphones. An attacker within BLE range can pair with already-paired headphones, intercept audio, and inject voice commands without the victim's knowledge.
WhisperPair (CVE-2025-36911) is a Bluetooth vulnerability in Google Fast Pair’s implementation discovered by security researcher Marc Newlin at SkySafe. Google Fast Pair is designed to streamline Bluetooth pairing across Android and ChromeOS devices using BLE advertisements and a cloud-based proximity system.
The flaw: Fast Pair does not enforce re-authentication when an already-paired device reconnects. An attacker within BLE range can impersonate a previously paired device, hijack the audio stream, and inject arbitrary audio — including voice commands to trigger the victim’s voice assistant. No user interaction is required on the victim’s end once the initial pairing has occurred.
Reconnaissance — The attacker scans for Bluetooth devices advertising Google Fast Pair service (identifiable by BLE advertisement packets containing the Fast Pair provider data).
Impersonation — Using a Bluetooth adapter and custom tooling, the attacker crafts a connection request that mimics a previously paired Fast Pair device (e.g., the victim’s own earbuds connecting back to their phone).
Reconnection Bypass — The victim’s phone or Chromebook accepts the connection because Fast Pair caches device credentials and skips re-authentication for known devices.
Audio Hijack — Once connected, the attacker’s device registers as an audio sink. The victim’s device routes audio output to the attacker. The attacker can now:
Voice Assistant Injection — The attacker sends synthesised audio containing “Hey Siri”, “OK Google”, or similar trigger phrases. The victim’s phone executes the command — potentially making calls, reading messages, or navigating to phishing sites.
Persistence — The connection remains active until the victim manually disconnects or walks out of BLE range (~100 metres with directional antenna). The attacker can reconnect at will if the victim stays in range.
| Device Type | Status | Notes |
|---|---|---|
| Android 13+ with Fast Pair | Vulnerable | No re-auth on reconnect |
| ChromeOS devices | Vulnerable | Same Fast Pair implementation |
| Sony WH-1000XM5 | Confirmed | Fast Pair enabled by default |
| JBL Tune series | Likely | Uses Google Fast Pair |
| Nothing Ear (1, 2) | Likely | Fast Pair supported |
| OnePlus Buds | Likely | Fast Pair supported |
| Xiaomi Buds | Likely | Fast Pair supported |
| iOS devices | Not affected | Does not implement Google Fast Pair |
| Windows devices | Not affected | No Fast Pair support |
Disable Google Fast Pair — On Android: Settings > Google > Devices & sharing > Fast Pair > Toggle off. On ChromeOS: Settings > Connected devices > Fast Pair > Disable.
Forget paired devices — After using Fast Pair headphones, go to Bluetooth settings and select “Forget” to remove the pairing credentials.
Use Bluetooth toggle — Turn off Bluetooth when not actively using audio devices. This prevents any BLE connection attempts.
Monitor for unexpected connections — Check Bluetooth settings periodically for unknown paired devices.
Apply security patches — Google released a fix in the January 2026 Android Security Bulletin. Ensure your device is updated.
Do not use Fast Pair in sensitive environments — Disable Fast Pair when in public spaces, conference rooms, or during sensitive calls.
Our cybersecurity team provides vulnerability assessments, penetration testing, and security architecture consulting for Indian businesses.
Consult a Security ExpertZero breach record — security audits, penetration testing, vulnerability assessments, and DPDP/GDPR compliance.