At a Glance
- KU Leuven researchers warn that flaws in Google Fast Pair let attackers hijack or track Bluetooth audio gear from 46 feet away.
- Sony, Harman, Google’s own Pixel Buds Pro, and other Fast Pair devices remain exposed despite Google issuing partial patches.
- Google paid a $15,000 bug bounty and rolled out server-side fixes, yet many users still lack firmware updates.
Why it matters: Millions of wireless earbuds and headphones could leak location data or be forced to play attacker-controlled audio.
Belgian researchers have uncovered a cluster of security holes inside Google Fast Pair, the one-tap Bluetooth setup used by Android and Chrome OS, that allow silent hijacking and location tracking of popular wireless audio products. The team, calling the flaws WhisperPair, demonstrated attacks against devices from Sony, Harman, and Google itself from distances up to 46 feet.
How the Attack Works
Fast Pair broadcasts a small beacon so phones can spot accessories instantly. The researchers found that malformed beacon replies can:
- Force a headset to pair with the attacker instead of the intended phone.
- Leak persistent identifiers that reveal the owner’s location through Google’s Find Hub network.
- Install malicious firmware on chips that accept over-the-air updates without proper checks.
In lab tests, the group successfully took control of a Pixel Buds Pro unit, switched its pairing, and tracked its movements across campus buildings.
Google’s Response So Far
According to News Of Losangeles, Google patched some weaknesses internally and pushed server-side fixes to Find Hub that block location leaks. A company spokesperson told News Of Losangeles:
> “We worked with these researchers to fix these vulnerabilities, and we have not seen evidence of any exploitation outside of this report’s lab setting.”
Google also updated its own Pixel Buds firmware and alerted manufacturers in September after receiving the private report. The firm awarded the researchers $15,000 through its bug-bounty program and asked for a 150-day disclosure window.
Which Products Are Still at Risk
The researchers maintain an online lookup table showing affected models. As of publication, popular devices flagged “vulnerable” include:
- Sony WH-1000XM4 and WF-1000XM4
- Harman Kardon FLY and JBL Live series
- Google Pixel Buds Pro (pre-patch firmware)
- Several off-brand earbuds using reference Fast Pair code
Google’s public Fast Pair Known Issues page does not list WhisperPair details, leaving many owners unaware they need firmware updates.
What Users Should Do Now
- Check the manufacturer app for firmware updates; enable auto-update if available.
- Turn off “Find My Device” network access for headphones if privacy is critical.
- Avoid pairing in crowded public spots where attackers can linger within 46 feet.
The research group warns that even patched phones can still connect to un-patched earbuds, so both ends of the link must be updated.
Key Takeaways
- WhisperPair exploits a convenience feature, not Bluetooth itself, proving that small usability “add-ons” can create outsized risks.
- Google’s fixes are partial; responsibility also lies with device makers that failed to follow Fast Pair specifications.
- Until firmware updates reach every earbud, users remain exposed to covert tracking and audio hijacking.
