Update now! Bluetooth flaw lets attackers silently hijack accessories

KSR

Security experts at the Computer Security and Industrial Cryptography research group (COSIC) are warning of a serious Bluetooth security vulnerability that could affect millions of headphones, speakers, and other wireless accessories worldwide. If you have any Bluetooth devices, you should check ASAP whether firmware updates are available—and if they are, install them as soon as you can.

The vulnerability exists in Google’s Fast Pair Service (GFPS), which is designed to enable quicker discovery and pairing of Bluetooth accessories. The vulnerability was discovered back in August 2025, but a working exploit called WhisperPair has now been publicly documented.

Attackers can exploit GFPS to take control of Bluetooth devices in their vicinity without being noticed, even when said devices aren’t in pairing mode. In practice, this means that strangers can connect to headphones or headsets, then eavesdrop on conversations via integrated microphones or play audio content on the devices.

Furthermore, it may also be possible to locate affected devices, provided they support certain additional functions.

Table of Contents

Toggle

How dangerous is WhisperPair?

The security experts showed the serious consequences of an unsecured Bluetooth device in a demonstration video:

Note that this security vulnerability affects Bluetooth accessories with faulty or outdated Fast Pair implementations. It does not affect Android or iOS smartphones themselves. Everyone—whether on Android or iOS—is vulnerable equally, regardless of whether Fast Pair is actively used on their own mobile phones or not.

What’s particularly critical is that the vulnerable function is enabled by default on many devices. According to the security researchers involved, it’s also sufficient to be within Bluetooth range. In many cases, prior pairing or confirmation by the owner is not required.

Special tracking risk for iPhone users

One aspect that’s particularly explosive—and mainly affects users of iPhones with Macs or Windows PCs—is that if a vulnerable Bluetooth headset has never been paired with an Android device, an attacker can register as the “owner” as part of a WhisperPair attack.

In this case, the accessory can be tracked via Google’s Find Hub network, similar to how AirTags work. Tracking is then no longer limited to immediate radio range but made possible worldwide, as other Android devices can forward the position data unnoticed.

Android users who have already paired their headphones via Fast Pair are generally not affected by this specific tracking scenario.

A firmware update is mandatory

The security researchers emphasize that changes to smartphone settings are not enough to fix the problem. Only a firmware update directly on the Bluetooth device itself reliably closes the vulnerability.

Google and affected manufacturers were already informed of this issue back in the summer of 2025. According to the researchers, updated firmware versions are now available for many Bluetooth models (usually installed via the respective manufacturer’s app). A factory reset is also recommended to remove any unauthorized pairings.

If no update is available for a device, experts advise pairing the accessory with an Android smartphone at least once. This establishes a legitimate owner and prevents subsequent third-party tracking.

Bluetooth remains a recurring security risk

The WhisperPair case is one of a series of Bluetooth security issues that came to light in 2025. Google rewarded the discovery of WhisperPair with a bug bounty of $10,000. Compared to other Bluetooth vulnerabilities, the problem was addressed relatively early—provided that users install the available updates

Regardless of the current vulnerability, security experts have long advised only enabling Bluetooth on smartphones when it’s actually needed. Every active wireless connection increases the attack surface. The current case also shows how important regular updates are.