WhisperPair is a recently discovered Bluetooth vulnerability (CVE-2025-36911) that exploits flaws in the implementation of Google's Fast Pair protocol used by many popular Bluetooth headphones and headsets from brands such as Sony, JBL, Redmi, Anker, Marshall, Jabra, OnePlus, and Google Pixel Buds 2. The attack works by broadcasting Fast Pair requests from an attacker’s device (smartphone, tablet, or laptop) to any Bluetooth headphones within approximately 14 meters. Vulnerable headphones respond to these requests even when not in pairing mode, allowing the attacker to pair with the device in about 10 seconds without user consent or interaction. Once paired, the attacker gains capabilities equivalent to the legitimate owner, including listening via the microphone, playing audio, and crucially, tracking the device’s location remotely through Google Find Hub if the headphones support this feature. This tracking leverages crowdsourced location data from Android devices, enabling the attacker to pinpoint the headset’s location anywhere, not just within Bluetooth range. The vulnerability is particularly severe for users who have only paired their headphones with non-Android devices (iOS, macOS, Windows, Linux), as their headphones lack an existing owner key tied to a Google account, allowing attackers to overwrite ownership. Android users who have already paired their headphones with Fast Pair are protected from this attack vector. Mitigation requires firmware updates from manufacturers and factory resets to clear unauthorized pairings. If no update is available, pairing the headphones with an Android device to establish ownership can prevent unauthorized access. Google has released an Android OS update to mitigate location reporting of hijacked devices, but details remain undisclosed, and adoption will take time. The attack poses significant privacy and security risks, including unauthorized tracking and eavesdropping, especially in environments where Bluetooth headphones are widely used.

For European organizations, the WhisperPair vulnerability presents several risks. Unauthorized pairing and remote tracking can lead to privacy violations and potential corporate espionage, especially in sectors where sensitive discussions occur over Bluetooth headsets, such as finance, legal, government, and healthcare. The ability to remotely track employees’ locations via their headphones can expose physical movement patterns, compromising operational security and personal privacy. Eavesdropping through the headset microphone can lead to leakage of confidential information. The attack’s ease and speed (approximately 10 seconds) mean it can be executed stealthily in public or semi-public spaces such as offices, transport hubs, or conference venues. Organizations with a mixed device ecosystem (iOS, Windows, Linux) and employees using vulnerable headphones without Android pairing are at higher risk. The lack of widespread firmware updates and delayed Android OS patch adoption prolongs exposure. Additionally, the attack undermines trust in Bluetooth accessories, potentially increasing operational costs due to the need for device replacement or additional security controls. Overall, the vulnerability threatens confidentiality, integrity, and privacy of communications and location data within European enterprises.

1. Inventory all Bluetooth headphones and headsets used within the organization, identifying models from vulnerable brands (Sony, JBL, Redmi, Anker, Marshall, Jabra, OnePlus, Google Pixel Buds 2, etc.). 2. Check for and apply firmware updates provided by manufacturers that address the WhisperPair vulnerability; use official companion apps to update devices. 3. Perform factory resets on all Bluetooth headsets after firmware updates to clear any unauthorized pairings. 4. For devices without available firmware updates, pair the headphones with a trusted Android device to establish ownership and prevent unauthorized pairing. 5. Educate employees about the risks of using vulnerable Bluetooth accessories, especially when operating in public or semi-public spaces. 6. Implement policies restricting the use of vulnerable Bluetooth devices in sensitive areas or during confidential meetings. 7. Monitor network and endpoint logs for unusual Bluetooth activity or unauthorized device pairings. 8. Encourage timely installation of Android OS updates that mitigate location reporting of hijacked devices. 9. Consider deploying Bluetooth security solutions that detect and alert on suspicious pairing attempts or unauthorized Bluetooth activity. 10. Engage with manufacturers and suppliers to prioritize secure Bluetooth device procurement and demand timely security patches.