Sony, Anker, and other headphones have a serious Google Fast Pair security vulnerability

Several Bluetooth audio devices from companies for illustration Sony, Anker, and Nothing are susceptible to a caller flaw that tin let attackers to perceive successful connected conversations aliases way devices that usage Google’s Find Hub network, arsenic reported by Wired.

Researchers from KU Leuven University’s Computer Security and Industrial Cryptography group successful Belgium discovered respective vulnerabilities successful Google’s Fast Pair protocol that tin let a hacker wrong Bluetooth scope to secretly brace pinch immoderate headphones, earbuds, and speakers. The attacks, which the researchers person collectively dubbed WhisperPair, tin moreover beryllium utilized connected iPhone users pinch affected Bluetooth devices contempt Fast Pair being a Google-specific feature.

Fast Pair streamlines Bluetooth pairing and lets wireless audio accessories link to Android aliases Chrome OS devices by simply tapping them together. But the researchers recovered that galore devices don’t instrumentality Fast Pair correctly, including a Google specification that says Fast Pair devices shouldn’t beryllium capable to link to a caller instrumentality while already paired to another.

The researchers tested their WhisperPair attacks connected complete 2 twelve Bluetooth devices and were successful successful hacking 17 of them. They were capable to play their ain audio done the compromised headphones and speakers astatine immoderate volume, intercept telephone calls, and moreover eavesdrop connected conversations utilizing the devices’ microphones.

A much superior rumor was recovered to impact 5 Sony products and Google’s Pixel Buds Pro 2. If the devices weren’t antecedently connected to an Android instrumentality and linked to a Google relationship (which isn’t required erstwhile utilizing them pinch iPhones), WhisperPair could beryllium utilized to brace and nexus them to a hacker’s Google relationship that would beryllium recognized arsenic the device’s owner. That would let a hacker to usage Google’s Find Hub web to way the user’s location and movements done their headphones, assuming smartphone notifications informing that a instrumentality was search them were dismissed arsenic errors.

The researchers reported their findings to Google successful August 2025. The institution past recommended fixes to its “accessory OEM partners” successful September and updated its certification requirements to mitigate akin issues going forward. “We worked pinch these researchers to hole these vulnerabilities, and we person not seen grounds of immoderate exploitation extracurricular of this report’s laboratory setting,” Google spokesperson Ed Fernandez says successful a written connection to The Verge.

The recommended fixes resoluteness each the Fast Pair issues erstwhile a package update has been installed, but Google implemented an further Find Hub web update to forestall WhisperPair from being utilized to way definite Bluetooth devices that haven’t been patched. The researchers told Wired it only took them a fewer hours to bypass that spot and proceed their tracking. According to Fernandez, the researchers utilized “old/not updated accessory OEM firmware successful bid to execute their workaround,” and Google is “looking into the bypass for this further fix,” which was only submitted earlier this week.

The Fast Pair characteristic can’t beryllium disabled, truthful the only measurement to protect against WhisperPair attacks is for users to instal firmware updates released by manufacturers that resoluteness the vulnerabilities. The Verge reached retired to each the manufacturers pinch affected hardware to corroborate the advancement of fixes. Spenser Blank, the caput of trading & communications for OnePlus North America, told The Verge successful a written connection that the institution “takes each information reports seriously” and that it’s “currently investigating this matter and will return due action to protect our users’ information and privacy.”

We will update this communicative arsenic different companies respond.