Silent Sabotage: New ‘WhisperPair’ Flaw Turns Your Headphones into Spy Microphones

Security researchers have discovered a chilling Bluetooth vulnerability—dubbed WhisperPair—that allows hackers to hijack wireless earbuds and speakers in seconds, turning them into remote listening devices.

The Convenience Trap

Wireless audio has never been easier thanks to Google’s Fast Pair technology. It’s the feature that pops up a "Connect" notification the moment you open your earbud case. However, researchers from the COSIC group at KU Leuven University in Belgium have found that this very convenience is exactly what hackers are now exploiting.

The flaw, officially tracked as CVE-2025-36911, targets the way accessories handle pairing requests. While the Bluetooth protocol dictates that a device should only pair when a user physically presses a button to enter "Pairing Mode," many popular headphones are ignoring this rule entirely.

15 Seconds to Total Control

Using nothing more than a standard laptop or a cheap Raspberry Pi, an attacker can forcefully pair with a vulnerable device from up to 14 meters away. The entire process takes less than 15 seconds.

Once a hacker "WhisperPairs" with your headset, they can:

Live Eavesdrop: Listen to your private conversations through the built-in microphones.

Audio Hijacking: Inject their own audio or blast sound at deafening volumes.

Stalker Tracking: Use Google’s "Find My Device" network to track your physical location.

Persistent Access: Maintain a hidden connection for days without the user ever realizing.

"Many devices fail to enforce the pairing mode check, allowing unauthorized devices to start the process... an attacker can finish the Fast Pair procedure by establishing a regular Bluetooth pairing." — COSIC Researchers

Major Brands Under Fire

The vulnerability isn't limited to off-brand accessories. Researchers tested 17 devices from 10 industry giants. Over two-thirds of them were wide open to attack. Affected brands include:

Sony, Jabra, and JBL

Google, Marshall, and Logitech

OnePlus, Nothing, Xiaomi, and Soundcore

Note to iPhone Users: Even if you don't use Android, you are still at risk. Because the flaw lives inside the headphones themselves, an attacker can hijack them regardless of whether they are currently connected to an iPhone or a Mac.

Google’s $15,000 Fix

Google recognized the severity of the threat by awarding the researchers their highest possible bug bounty of $15,000. While Google has coordinated with manufacturers over a 150-day period to roll out fixes, millions of devices may still be unpatched.

🛡️ How to Protect Yourself

Unlike phone updates that happen automatically, headphone firmware often requires manual intervention. Here is your security checklist:

Update via App: Open the official app for your headphones (e.g., Sony Headphones Connect, Jabra Sound+) and check for firmware updates immediately.

Audit Your List: Go into your phone’s Bluetooth settings and "Forget" any devices you don't recognize.

The Nuclear Option: If you are discussing sensitive or classified information, switch to wired headphones until you are certain your wireless gear is patched

.

Reset & Re-pair: After updating your firmware, perform a factory reset on your earbuds and pair them to your phone again to ensure the old security tokens are cleared.