"The findings relate to the improper implementation of Google's Fast Pair protocol, which enables one-tap pairing and account synchronization across Bluetooth accessories. If the protocol hasn't been implemented correctly, a security flaw is introduced that "allows an attacker to hijack devices and track victims using Google's Find Hub network," according to the researchers. The vulnerability research was reported to Google privately in August 2025 and was issued a critical rating under CVE-2025-36911."
"Researchers have disclosed WhisperPair, a family of vulnerabilities that impact a protocol commonly used to pair headphones, earbuds, and other audio products with Bluetooth devices. Also: How this one-click Copilot attack bypassed security controls - and what Microsoft did about it What is WhisperPair? As first reported by Wired, WhisperPair was uncovered by a team of researchers from Belgium's KU Leuven University, supported by the government's Cybersecurity Research Program."
Researchers from KU Leuven uncovered WhisperPair, a family of vulnerabilities affecting improper implementations of Google's Fast Pair protocol. The flaw allows attackers to hijack audio accessories, tamper with controls, and potentially eavesdrop on conversations. The vulnerability enables tracking via Google's Find Hub network. The research was privately reported to Google in August 2025 and assigned CVE-2025-36911 with a critical rating; a 150-day disclosure window and a $15,000 bug bounty were provided. Many vendors have released patches, but some devices remain unpatched. WhisperPair arises when audio accessories skip a required Fast Pair step during pairing.
Read at ZDNET
Unable to calculate read time
Collection
[
|
...
]