Hackers have a new way to follow you around, and it does not rely on your phone, your browser, or a shady app. Security researchers have uncovered a critical flaw in popular wireless audio gear that lets attackers track your movements in seconds and, in some cases, hijack your connection. If you use modern Bluetooth headphones, earbuds, or speakers, you now need to treat firmware updates as urgently as you would a browser or operating system patch.
The problem sits inside the Google Fast Pair protocol that helps Android users connect audio accessories with a single tap. A bug in how that protocol is implemented in hundreds of millions of devices turns your headphones into a beacon that can be silently probed, logged, and abused by anyone within Bluetooth range who knows what to look for.
What WhisperPair actually is and why it matters
Researchers have given this family of attacks a fitting name, WhisperPair, and they have tied it to the identifier CVE-2025-36911. At its core, the flaw lets an attacker send pairing-style messages to a vulnerable accessory and trick it into revealing a stable identifier or accepting a connection even when it should be idle. According to analysis of CVE, that identifier is enough to follow a person as they move through a city, a campus, or an office building, even if their phone’s own Bluetooth address is rotating as designed.
The technical work was led by the Computer Security and Industrial Cryptography group at Belgium’s KU Leuven University, which has a long track record of tearing apart wireless protocols. The team found that the Google Fast Pair design, combined with sloppy vendor implementations, opened the door to what they describe as stealthy, high resolution stalking of Bluetooth audio users. Their findings, detailed in a report on Belgium, show that the same weakness can also be used to inject or intercept traffic once a malicious device has convinced your headphones that it is a trusted partner.
Hundreds of millions of devices, from Sony to smart speakers
The scale of the problem is what turns WhisperPair from a niche research curiosity into a mainstream privacy crisis. The KU Leuven team and independent analysts estimate that hundreds of millions of audio accessories are affected worldwide, spanning earbuds, over ear headphones, portable speakers, and even some car systems that rely on Google Fast Pair. A detailed breakdown of the protocol’s reach notes that Bluetooth accessories from multiple brands share the same underlying Fast Pair logic, which means a single design mistake ripples across product lines and price tiers.
Security journalist Nicole Perlroth underscored the breadth of the issue when she warned that Anyone with audio accessories from Sony, Jabra, JBL, Marshall, Xiaomi, Nothing, OnePlus, Soundcore, Logitech, and other vendors is potentially exposed. Her Sony note is especially stark, since some of the most popular noise cancelling models on the market sit on that list. Other reporting highlights that Major brands like Sony and Google are at the center of the Fast Pair ecosystem, and that Major headphones from Soundcore, Logitech, and Xiaomi are also implicated.
How attackers can track and hijack you in seconds
From an attacker’s perspective, WhisperPair is attractive because it is quiet, cheap, and fast. A small Bluetooth capable device, such as a Raspberry Pi with a radio dongle, can be configured to send Fast Pair style probes to every accessory in range and log which ones respond in a way that signals vulnerability. Reports on the Fast Pair protocol explain that the flaw lets attackers track your location or eavesdrop on private conversations by exploiting devices that fail to properly authenticate pairing requests.
Once a target is identified, the same bug can be used to attempt a hijack. Several Fast Pair supported audio devices are failing to reject connection requests when they are not in pairing mode, which means a malicious phone or laptop can sometimes insert itself as the active audio source without the victim realizing what is happening. Technical write ups note that Several Fast Pair accessories will even leak identifying data during these unsolicited exchanges, giving stalkers a stable tag to follow over time. Malware analysts like Pieter Arntz have shown that the attack works even when a device is not visibly in pairing mode, because the vulnerable firmware still responds to crafted Bluetooth messages.
Which brands and models are known to be at risk
Consumers are not dealing with a theoretical list of obscure gadgets. Some of the most recognizable headphones on store shelves are affected, including multiple Sony WH and WF series models. One advisory singles out the Sony WH-1000XM5 and WF-1000XM5, describing them as among the most popular noise cancelling headphones and earbuds on the market, and notes that Most of the recent WH and WF line needs firmware fixes. Another breakdown lists Sony WH-1000XM4 to WH-1000XM6, JBL Live Buds 3, Bose QuietComfort Earbuds, and Jabra Elite 8 Active among the impacted devices, along with Marshall products like Major V and Stanmore III, showing how far the flaw reaches into premium Sony WH, JBL, Bose, and Jabra Elite lines.
It is not just headphones. Smart speakers and portable speakers that support Fast Pair are also exposed, which means the device sitting on your kitchen counter or in your backpack could be advertising your presence. Coverage of the broader ecosystem notes that Sony, Anker, and other headphones share the same Google Fast Pair security vulnerability, and that Sony and Anker products are part of a much longer list. For Android users, the risk is compounded by the fact that Millions of Earbuds and Headphones Have a Serious Android Security Vulnerability tied to this same protocol, as detailed in guidance aimed at Android owners.
What you should do right now
The most important step is also the simplest, even if it is tedious. You need to update the firmware on every Fast Pair capable audio accessory you own, from your daily commute earbuds to the Bluetooth speaker you keep in the garage. Security researchers and consumer advocates are urging users to update their speakers and headphones now, warning that attackers can spy on your location in seconds if you leave vulnerable devices unpatched, a point that has been echoed in consumer focused Update alerts. In practice, that means opening the companion app for your brand, such as Sony Headphones Connect, Jabra Sound+, JBL Headphones, Bose Music, or Marshall, and checking for firmware updates under device settings.
At the same time, you should harden how you use Bluetooth day to day. Security advisories recommend turning off Bluetooth when you are not actively using it, avoiding pairing in public spaces, and deleting old or unused accessories from your phone so they cannot be abused as a backdoor. Experts also suggest checking whether your specific model appears on the lists compiled by Security researchers and by the KU Leuven team, which detail how Google Fast Pair devices should behave once patched. If your headphones are not receiving updates at all, it may be time to treat them as untrusted and consider a replacement, ideally one that has already been confirmed as fixed in the product listings.
More from Morning Overview