Safety researchers have found a vital vulnerability in Google’s Quick Pair protocol that may enable attackers to hijack Bluetooth audio equipment, observe customers, and listen in on their conversations.
The flaw (tracked as CVE-2025-36911 and dubbed WhisperPair) impacts lots of of thousands and thousands of wi-fi headphones, earbuds, and audio system from a number of producers that assist Google’s Quick Pair characteristic. It impacts customers no matter their smartphone working system as a result of the flaw lies within the equipment themselves, that means that iPhone customers with susceptible Bluetooth units are equally in danger.
Researchers with KU Leuven’s Pc Safety and Industrial Cryptography group who found it clarify that the vulnerability stems from the improper implementation of the Quick Pair protocol in lots of flagship audio equipment.
Though the Quick Pair specification says that Bluetooth units ought to ignore pairing requests when not in pairing mode, many distributors haven’t enforced this examine of their merchandise, permitting unauthorized units to provoke pairing with out the consumer’s consent or information.
“To start out the Quick Pair process, a Seeker (a telephone) sends a message to the Supplier (an adjunct) indicating that it needs to pair. The Quick Pair specification states that if the accent just isn’t in pairing mode, it ought to disregard such messages,” the researchers stated.
“Nevertheless, many units fail to implement this examine in follow, permitting unauthorised units to begin the pairing course of. After receiving a reply from the susceptible gadget, an attacker can end the Quick Pair process by establishing an everyday Bluetooth pairing.”
Attackers can exploit the WhisperPair flaw utilizing any Bluetooth-capable gadget (corresponding to a laptop computer, a Raspberry Pi, or perhaps a telephone) to forcibly pair with susceptible equipment from Google, Jabra, JBL, Logitech, Marshall, Nothing, OnePlus, Sony, Soundcore, and Xiaomi at ranges as much as 14 meters inside seconds and with out consumer interplay or bodily entry.
After pairing, they achieve full management over the audio gadget, enabling them to blast audio at excessive volumes or listen in on customers’ conversations by means of the gadget’s microphone.
CVE-2025-36911 additionally permits attackers to trace their victims’ location utilizing Google’s Discover Hub community if the accent has by no means been paired with an Android gadget by including the gadget to their very own Google account.
“The sufferer might even see an undesirable monitoring notification after a number of hours or days, however this notification will present their very own gadget,” they added. “This may occasionally lead customers to dismiss the warning as a bug, enabling an attacker to maintain monitoring the sufferer for an prolonged interval.”
Google awarded the researchers $15,000, the utmost potential bounty, and labored with producers to launch security patches throughout a 150-day disclosure window. Nevertheless, they famous that security updates addressing this flaw might not but be out there for all susceptible units.
The one protection in opposition to attackers hijacking susceptible Quick Pair-enabled Bluetooth equipment is putting in firmware updates from gadget producers. Disabling Quick Pair on Android telephones doesn’t forestall the assault, because the characteristic can’t be disabled on the equipment themselves.
It is finances season! Over 300 CISOs and security leaders have shared how they’re planning, spending, and prioritizing for the yr forward. This report compiles their insights, permitting readers to benchmark methods, determine rising tendencies, and examine their priorities as they head into 2026.
Learn the way prime leaders are turning funding into measurable impression.
