Reading time 3 minutes
Hundreds of millions of wireless headphones, earbuds, and speakers utilize Google’s Fast Pair, a protocol that allows one-tap pairing between Bluetooth accessories and your device. But many of these products have not implemented the Fast Pair technology correctly, a group of researchers from Belgium’s KU Leuven University found, making your wireless device vulnerable to attacks.
By using the Bluetooth vulnerability, attackers can gain complete control of your device, use your microphone to spy on your conversations, or even track your location via Google’s Find Hub network. The attacker only needs to be within a 14-meter (aka roughly 46 feet) radius for the attack the researchers have dubbed “WhisperPair” to succeed in a matter of seconds.
Here’s where the Fast Pairing goes wrong. Normally, your device should disregard pairing requests if it’s not in pairing mode. But many devices fail to enforce that check, the researchers say, allowing unauthorized devices to start the pairing process and finish it by a simple regular Bluetooth pairing.
For location tracking, the attackers can make use of Google’s Find Hub network, which would normally allow Android devices to track lost accessories via crowdsourced location reports. But you’re still vulnerable to tracking even if you have never owned an Android device, because the attacker can add the compromised accessory to the Find Hub network themselves using their own Google account.
“The victim may see an unwanted tracking notification after several hours or days, but this notification will show their own device. This may lead users to dismiss the warning as a bug, enabling an attacker to keep tracking the victim for an extended period,” the researchers wrote in a report.
Brands with vulnerable devices include Sony, JBL, Xiaomi, Nothing, OnePlus, Jabra, and Google, and specifically Sony and Google headphones are vulnerable to the location tracking scheme through the Find Hub network. You can search for some of the vulnerable models here.
Google said that its Pixel Buds accessories were now protected. Developers rolled out a fix to prevent the Find Hub vulnerability, updated certification requirements, and provided manufacturers with recommended fixes.
“We appreciate collaborating with security researchers through our Vulnerability Rewards Program, which helps keep our users safe,” a Google spokesperson told Gizmodo. “We worked with these researchers to fix these vulnerabilities, and we have not seen evidence of any exploitation outside of this report’s lab setting.”
Once the fixes are in place, a software update should be able to fortify your wireless device against these attacks, but you would have to update it via the manufacturer’s app on your phone or computer. So, for example, if you have the allegedly vulnerable Sony WH-1000XM6 wireless headphones, you should probably download the Sony app and be on the lookout for any software updates that have been or will be issued.
“As a best security practice, we recommend users check their headphones for the latest firmware updates. We are constantly evaluating and enhancing Fast Pair and Find Hub security,” a Google spokesperson said.
Though the findings of the report are new, distrust towards the privacy and security provided by wireless headphones isn’t necessarily a novel thing.
Last year, former Vice President Kamala Harris shared that she only used wired earbuds because of everything she learned serving on the Senate Intelligence Committee.
“I have been in classified briefings, and I’m telling you, don’t be on the train using your earpods thinking someone can’t listen to your conversation,” Harris told Stephen Colbert in an interview. “I’m telling you, the [wired earphones] are a bit more secure.”
Explore more on these topics
Share this story
Subscribe and interact with our community, get up to date with our customised Newsletters and much more.
Personalization that is maybe a bit too personal.
If Reddit leaks are anything to go off of, Google Glass 2.0 might have learned a thing or two about privacy and distraction.
2026 is the year AI companies want to handle your health.
Thanks to the news, Google has now become the fourth company to hit $4 trillion market value.
Heard you like inboxes. Well, you're getting an "AI Inbox" in your inbox.
Apple is in a boring stretch. Google is in a risky stretch. The reaction from Wall Street is unsurprising.
©2025 GIZMODO USA LLC.
All rights reserved.
Source: Gizmodo