Are Your Bluetooth Earphones at Risk? Here's How to Stay Secure

Key Insights from ZDNET

A collection of vulnerabilities known as WhisperPair has been revealed by researchers, affecting a common protocol used to connect headphones and other audio equipment with Bluetooth-enabled devices.

Understanding WhisperPair

Discovered by a research group at Belgium's KU Leuven University, WhisperPair was supported by the national Cybersecurity Research Program. These issues arise from flaws in the execution of Google's Fast Pair protocol. This protocol allows almost effortless pairing and synching of Bluetooth accessories, but incorrect implementation can introduce severe security breaches. Researchers warn that these weaknesses can permit unauthorized control of accessories and tracking via Google's Find Hub.

Initially reported in private to Google in August 2025, these vulnerabilities were classified with a critical risk level. A disclosure timeline of 150 days was set, accompanied by a bug reward of $15,000.

Mechanics of WhisperPair

The vulnerabilities appear when some audio accessories bypass an essential verification step during the Fast Pair process. Here's the process: a mobile device with Bluetooth capability (the 'seeker') sends a message to an audio accessory (the 'provider') requesting a pairing.

The protocol dictates that these requests should be disregarded unless the accessory is ready for pairing, but this isn't always checked. This lapse allows unauthorized pairings. After receiving a response from an exposed device, an attacker can complete the pairing stealthily.

Potential Impacts of WhisperPair

Should an intruder manage to clandestinely connect to vulnerable earphones, they gain potential access to controlling the device, including changes to settings like volume. More alarmingly, they could record audio through any integrated microphones unnoticed.

Testing has shown that WhisperPair attacks can be executed from a distance of up to 14 meters and involve no physical wires.

If a device doesn't register with Google's network despite being supported, attackers could add the device to their own accounts for tracking. Although users will get notifications of tracking attempts, only the user's device will appear in the alert, potentially leading to neglect of the warning.

Devices at Risk

Brands affected by these vulnerabilities include products from companies such as Google, Sony, Harman (including JBL), and Anker. Not only are Android users at risk, but these vulnerabilities affect iPhone users with susceptible accessories as well.

Checking Device Vulnerability

Researchers have listed a range of popular audio equipment in a publicly available catalog. You can find or input your device's manufacturer to determine its vulnerability to WhisperPair threats.

Steps for Protection

If your accessory is marked as susceptible to these threats, verify whether there are any updates or patches from the manufacturer. Even if marked secure, ensure it is updated with the most current software.

Experts emphasize that installing manufacturer-provided software updates is the only surefire way to thwart WhisperPair attacks. Vendor applications or sites might offer available updates. If none exist yet, patience and vigilance are essential until a fix arrives. Accessories supporting Find Hub not yet synced with Android devices are particularly vulnerable and should ensure updates as soon as possible.

Disabling Fast Pair on your phone won't necessarily prevent these risks. Research shows accessories come with Fast Pair enabled by default, lacking any option to turn it off without a firmware update.