Winners & losers: Google's Fast Pair technology was designed for convenience. The protocol turns pairing a new Bluetooth accessory into a tap-and-go experience for Android and Chrome OS users. But new research suggests that the same design choices that make Fast Pair effortless also make it alarmingly easy to abuse.
Researchers from KU Leuven University's Computer Security and Industrial Cryptography group have identified a set of vulnerabilities they call WhisperPair. Their findings reveal that attackers within Bluetooth range – roughly 45 to 50 feet – can take control of wireless headphones, earbuds, and speakers that rely on Fast Pair. The flaw affects devices from at least ten major companies, including Google, Sony, JBL, Jabra, Xiaomi, and OnePlus.
In their tests, the KU Leuven team showed that hijacking could happen in under 15 seconds. Once connected, an attacker could stream or mute audio, force playback at high volumes, or even activate built-in microphones to listen to nearby conversations.
Certain models, particularly those from Google and Sony, are also vulnerable to location tracking via Google's Find Hub network, allowing attackers to monitor a victim's movements with precision.
The researchers demonstrated the attack using a low-cost Raspberry Pi 4 configured to impersonate a legitimate pairing request. During their trial with 25 Fast Pair-enabled devices from 16 vendors, 17 were found to be exploitable.
The technique relies on obtaining a Model ID, a unique identifier that devices broadcast during pairing. Those IDs are publicly accessible through a Google API, meaning they can potentially be collected at scale.
The KU Leuven team attributes the vulnerability to improper enforcement of Fast Pair's pairing logic. In theory, devices should reject new pairings while already connected. In practice, many do not. That oversight allows attackers to silently overwrite or duplicate legitimate pairings without user interaction. Once a device is compromised, the attacker effectively owns it until the victim resets it to factory settings.
Some devices compound the risk through account binding. If a headset or earbud has never been linked to a Google account – for example, if it was used only with an iPhone – an attacker can forcibly register it under their own Google ID. That enrollment adds the device to the attacker's Find Hub list, granting continuous location visibility. Even if victims receive a tracking alert, it may misleadingly identify the tracker as their own device.
Google acknowledged the KU Leuven findings in a disclosure published alongside the researchers' report on WhisperPair.eu. The company said it worked with affected vendors, issued patches for its own hardware, and rolled out an update to Find Hub intended to block malicious registrations. However, the researchers reported that they were able to bypass Google's fix within hours, restoring the tracking exploit.
Vendors have responded to Wired's inquiries inconsistently. JBL confirmed it received Google's security patches and plans to distribute updates through its mobile app. Xiaomi said it is working on over-the-air firmware updates for Redmi earbuds. Logitech integrated a firmware patch into future production runs of its Wonderboom 4 speaker, which lacks a microphone and therefore cannot record sound.
Jabra, Marshall, and OnePlus issued statements acknowledging the issue; some appear to have conflated the KU Leuven work with earlier Bluetooth chipset flaws.
One key challenge for all these fixes is delivery. Most users never install companion apps or update firmware for their audio accessories. Without those updates, flawed devices remain exposed indefinitely. Researcher Seppe Wyns pointed out that many consumers are unaware updates even exist and if they don't have the app for their headphones, they'd never know there's a patch.
The underlying weaknesses appear to result from both vendor and chipset-level errors in implementing Google's Fast Pair specifications. The research implicates components supplied by Actions, Airoha, Bestechnic, MediaTek, Qualcomm, and Realtek, though none of the chipmakers responded to requests for comment. Xiaomi has since said that misconfigurations by its chip supplier contributed to its own exposure.
Google's Fast Pair certification system may also have played a role. Before a product can use the protocol, vendors must pass validation through Google's Fast Pair Validator App and approved testing labs.
All devices listed in KU Leuven's research had passed those checks, suggesting that the certification process failed to detect significant security flaws. In response, Google says it has added new tests specifically focused on Fast Pair's security enforcement.
For now, KU Leuven researchers recommend that users install available firmware updates and reset potentially affected devices. More broadly, they argue that Fast Pair should be revised to cryptographically authenticate ownership before allowing new pairings.