WhisperPair Vulnerability Enables Remote Hijacking of Millions of Bluetooth Headphones

Sony WH‑1000XM series has long been a benchmark in Bluetooth headphones, but security research has revealed a disturbing truth: multiple mainstream models contain a severe Bluetooth protocol implementation flaw that lets an attacker silently hijack the device within 15 seconds, monitor calls, and track location.

1. Vulnerability Overview

The flaw was uncovered by security researchers at KU Leuven and named WhisperPair . The root cause lies in an implementation defect of Google’s Fast Pair Bluetooth pairing protocol, not in the Bluetooth protocol itself.

Fast Pair is Google’s framework built on Bluetooth to streamline pairing: when a user opens the headphones, a nearby Android phone automatically shows a pairing prompt. Google delegates the security implementation to device manufacturers, and many left critical vulnerabilities.

According to Google’s specification, a Fast Pair earphone already connected to a device should reject new pairing requests. In testing of 25 devices, 17 violated this rule and accepted a second pairing request without any user notification or pairing dialog, enabling silent hijacking.

2. Attack Effects

Once an attacker exploits WhisperPair, they can:

Audio injection : play arbitrary audio through the hijacked earphone or speaker at any volume.

Microphone eavesdropping : activate built‑in microphones on supported earphones to capture conversations and ambient sounds.

Call hijacking : intercept or disrupt phone calls.

Location tracking (more severe) : for Google Pixel Buds Pro 2 and some Sony models, the attacker can register the device to their own Google “Find Hub” account, allowing continuous physical‑location tracking.

Special warning about tracking : if the earphone has never been bound to a Google/Sony account, the attacker can first bind it to their account. The victim later receives a generic “your device is being tracked” warning from Apple or Google, which may be mistaken for a system bug and ignored.

3. Attack Conditions

The attack requires only a few low‑barrier conditions:

The target device is within Bluetooth range (the study measured a maximum distance of about 46 ft / 14 m).

The attacker possesses the device’s Model ID, obtainable by purchasing the same model, intercepting the pairing process, or querying Google’s public API.

A low‑cost platform such as a Raspberry Pi 4.

No pairing dialog or warning appears, and the entire process completes in 10–15 seconds.

4. Affected Devices

Confirmed vulnerable models include:

Sony series : WH‑1000XM6, WH‑1000XM5, WH‑1000XM4, WH‑CH720N, WF‑1000XM5

Google : Pixel Buds Pro 2

Other brands : Nothing Ear (a), OnePlus Nord Buds 3 Pro, Jabra Elite 8 Active, JBL TUNE BEAM, Marshall MOTIF II A.N.C, Soundcore Liberty 4 NC, Redmi Buds 5 Pro, Logitech Wonderboom 4

Devices tested and found not vulnerable include Bose QuietComfort Ultra Headphones, Sonos Ace, Audio‑Technica ATH‑M20xBT, and Beats Solo Buds. Researchers note that most Fast Pair devices have not been tested, so absence from the list does not guarantee safety.

5. Why Certified Devices Passed

All affected devices passed Google’s Fast Pair certification and laboratory tests approved by Google. The certification process, however, only validates basic functionality and never deeply checks manufacturers’ adherence to security specifications, leading to “certified but severely vulnerable” products reaching the market.

6. Fix Status and User Mitigation

Google has issued a security advisory, acknowledged the research, and collaborated with affected manufacturers to develop firmware patches.

Firmware updates for headphones are far less user‑friendly than mobile OS updates. The typical update flow requires:

Downloading the vendor’s companion app (e.g., Sony Headphones Connect, Jabra Sound+).

Manually checking for updates within the app.

Keeping the headphones connected to the app during the update process.

This cumbersome process is often ignored, and months after the vulnerability’s disclosure, the proportion of users who have applied the patch is likely negligible.

Additional constraints:

Fast Pair cannot be disabled on affected devices, so users cannot simply turn off the vulnerable feature.

Factory resetting only clears the current attacker’s access; the underlying vulnerability remains, allowing re‑hijacking.

7. Conclusion

The WhisperPair flaw highlights a core contradiction: consumer‑electronics manufacturers prioritize seamless pairing experiences while treating security as an after‑the‑fact patch rather than a design priority.

Short‑term, users should immediately check for firmware updates via the appropriate companion app and apply them without waiting for notifications.

Long‑term, Google needs to revamp the Fast Pair certification framework to include concrete security validation in pre‑shipment laboratory testing, instead of relying solely on manufacturer self‑declarations. When “convenience‑first” logic permeates security‑sensitive IoT devices, every user becomes a potential risk bearer.