Researchers Expose Google Fast Pair Flaw Enabling Bluetooth Hijacks and Tracking

Security researchers at KU Leuven have uncovered serious flaws in Google’s Fast Pair Bluetooth protocol that let nearby attackers silently hijack compatible headphones, earbuds and speakers and, in some cases, track users’ movements. The attack, dubbed "WhisperPair," exploits the fact that many Fast Pair devices still accept new pairings while already connected, allowing an attacker within Bluetooth range to bind to the device in about 10–15 seconds using an ordinary phone, laptop or Raspberry Pi. Once paired, an attacker can interrupt calls, inject audio or activate microphones; on some Google and Sony models tied into Google’s Find My Device/Find Hub network, an attacker who 'claims' an unregistered headset first can then see its location as the user carries it around. Tests on 17 products from major brands including Sony, Jabra, JBL, Marshall, Xiaomi, Nothing, OnePlus, Soundcore, Logitech and Google showed many passed Google’s own certification despite the flaw, raising questions about the company’s security vetting. While several manufacturers have started issuing firmware patches, headphones and speakers typically only update via brand-specific apps many owners never install, meaning a large installed base of U.S. devices may remain exposed for months or years unless users proactively check for updates.