A essential vulnerability in Google’s Quick Pair protocol that enables attackers to hijack Bluetooth audio equipment and observe customers with out their data or consent.
Safety researchers from KU Leuven have uncovered a vulnerability, tracked as CVE-2025-36911 and dubbed WhisperPair, that impacts tons of of hundreds of thousands of wi-fi earbuds, headphones, and audio system from main producers.
Together with Sony, Anker, Google, Jabra, JBL, Logitech, Marshall, Nothing, OnePlus, Soundcore, and Xiaomi.
Google labeled the difficulty as essential and awarded the researchers the utmost attainable bounty of $15,000. The flaw stems from the improper implementation of the Quick Pair protocol.
Essential Flaw in Quick Pair Implementation
In response to the Quick Pair specification, Bluetooth equipment ought to ignore pairing requests when not in pairing mode.
Nonetheless, many flagship gadgets fail to implement this essential safety test, permitting unauthorized gadgets to provoke the pairing course of with out person interplay.
Attackers can exploit WhisperPair utilizing any customary Bluetooth-capable system reminiscent of a laptop computer, smartphone, or Raspberry Pi.
Attacker’s dashboard with location from the Discover Hub community (supply: whisperpair )
The assault succeeds inside a median of 10 seconds at ranges as much as 14 meters with out requiring bodily entry to the weak system.
As soon as paired, attackers achieve full management over the audio accent, enabling them to play audio at excessive volumes or report conversations by means of the built-in microphone.
Moreover, if an adjunct has by no means been paired with an Android system, attackers can add it to their very own Google account and observe the sufferer’s location utilizing Google’s Discover Hub community.
The monitoring notification that seems reveals the sufferer’s personal system, which can lead customers to dismiss the warning as a system bug, permitting extended surveillance.
Undesirable monitoring notification displaying the sufferer’s personal system (supply: whisperpair )
Cross-Platform Vulnerability
The vulnerability impacts customers throughout all platforms as a result of the flaw exists within the equipment themselves, not in smartphones.
iPhone customers with weak Bluetooth gadgets face the identical dangers as Android customers. Since Quick Pair performance can’t be disabled on equipment, even customers outdoors the Android ecosystem stay weak.
The WhisperPair researchers reported their findings to Google in August 2025, agreeing to a 150-day disclosure window for producers to launch safety patches.
The one efficient mitigation is putting in firmware updates from system producers.
Whereas many producers have launched patches, software program updates might not but be accessible for all weak gadgets.
Customers ought to seek the advice of their accent’s guide for firmware replace directions and confirm patch availability immediately with producers.
The WhisperPair vulnerability represents a systemic failure, as weak gadgets handed each producer high quality assurance and Google’s certification course of earlier than reaching the market at scale.
Comply with us on Google Information, LinkedIn, and X for day by day cybersecurity updates. Contact us to function your tales.
