A vulnerability within the Google Quick Pair implementation of Bluetooth audio equipment could be exploited to drive connections to attacker-controlled units, tutorial researchers warn.
The critical-severity subject is tracked as CVE-2025-36911 and exists on account of a logic error within the key-based pairing code, the place units fail to verify if they’re in pairing mode.
Google Quick Pair allows quick pairing and account synchronization with Bluetooth equipment akin to earbuds, headphones, and audio system, all with a single faucet.
The Quick Pair specification states that the pairing process ought to solely be carried out if the accent is in pairing mode, however fashions from quite a few manufacturers don’t verify the pairing standing of the gadget.
These improper implementations of Quick Pair open the door to a collection of assaults dubbed WhisperPair, which permit attackers to take management of susceptible equipment, tutorial researchers on the Pc Safety and Industrial Cryptography group of Belgium’s KU Leuven College clarify.
“WhisperPair allows attackers to forcibly pair a susceptible Quick Pair accent (e.g., wi-fi headphones or earbuds) with an attacker-controlled gadget (e.g., a laptop computer) with out consumer consent,” the researchers say.Commercial. Scroll to proceed studying.
The safety defect permits attackers inside a spread of as much as 14 meters (~46 toes) to begin the pairing course of and “end the Quick Pair process by establishing an everyday Bluetooth pairing”, inside seconds.
“This provides an attacker full management over the accent, permitting them to play audio at excessive volumes or file conversations utilizing the microphone,” the lecturers word.
Person monitoring
In line with the researchers, WhisperPair may also be used to trace customers, if their units help Google’s Discover Hub community and have by no means been paired with an Android gadget earlier than.
When connecting to an adjunct, the lecturers clarify, Android units write to it an Account Key used to determine possession. Thus, the attacker is marked because the proprietor if the sufferer has by no means linked their accent to an Android gadget.
Attackers can goal susceptible equipment so as to add them utilizing their very own Google accounts, after which monitor the units to trace their customers.
“The sufferer might even see an undesirable monitoring notification after a number of hours or days, however this notification will present their very own gadget. This may occasionally lead customers to dismiss the warning as a bug, enabling an attacker to maintain monitoring the sufferer for an prolonged interval,” the researchers say.
Weak units and patches
The lecturers word that a number of gadget fashions from varied distributors are impacted, though they handed “the producers’ high quality assurance assessments and Google’s certification course of”.
“Insecure implementations nonetheless reached the market at scale. This exhibits a sequence of compliance failures in Google Quick Pair, because the vulnerability did not be detected on all three ranges: implementation, validation, and certification,” the researchers word.
Google, Jabra, JBL, Logitech, Marshall, Nothing, OnePlus, Sony, Soundcore, and Xiaomi have susceptible merchandise in the marketplace. In complete, tons of of hundreds of thousands of units could also be affected.
The researchers didn’t make the WhisperPair implementation publicly accessible, however notified Google of the bug in August 2025. The researchers obtained a $15,000 bug bounty reward for his or her findings.
This week, Google rolled out a recent safety replace for Pixel units to resolve the vulnerability.
In line with the tutorial researchers, nevertheless, updating Android telephones isn’t sufficient. Customers additionally want to put in the firmware patches that many producers have already launched for his or her equipment.
“As a result of Google Quick Pair can’t be disabled, the one method to stop WhisperPair assaults is by performing a software program replace. Please seek the advice of your accent’s handbook for directions on tips on how to set up a software program replace,” the researchers word.
Associated: Crucial Dolby Vulnerability Patched in Android
Associated: Android Zero-Days Patched in December 2025 Safety Replace
Associated: Android Replace Patches Crucial Distant Code Execution Flaw
Associated: Pixnapping Assault Steals Information From Google, Samsung Android Telephones
