Major security flaw affects Sony, Google, and other popular headphones

Security researchers at Belgium’s KU Leuven University have uncovered a collection of serious vulnerabilities in Google’s Fast Pair Bluetooth protocol that affects hundreds of millions of audio devices. The researchers, calling their findings “WhisperPair,” demonstrated that attackers within Bluetooth range—approximately 50 feet—could silently take control of paired headphones, earbuds, and speakers in as little as 10-15 seconds.

The vulnerability is confirmed to affect at least 17 audio accessories from 10 major manufacturers, including several models you’ve likely seen in our reviews: Sony’s entire WH-1000X flagship lineup (WH-1000XM6, XM5, and XM4), the WF-1000XM5 earbuds, Google Pixel Buds Pro 2, Nothing Ear (a), OnePlus Nord Buds 3 Pro, Jabra Elite 8 Active, and products from JBL, Marshall, Soundcore, Logitech, and Xiaomi.

What attackers can do

Once an attacker exploits the WhisperPair vulnerability, they gain full control of the audio device. This includes:

• Audio injection: Playing sounds through your headphones or speakers at any volume
• Microphone access: Activating built-in microphones to eavesdrop on conversations and surroundings
• Call disruption: Intercepting or disrupting phone calls
• Location tracking: For Google Pixel Buds Pro 2 and five Sony models, attackers can claim device ownership through Google’s Find Hub feature and track your location continuously

The location tracking vulnerability is particularly concerning for iPhone users. If you’ve never linked your Google or Sony headphones to a Google account, an attacker can register them to their own account and monitor your movements indefinitely. While you might eventually receive a tracking notification from Apple or Google, the alert would indicate your own device is tracking you, making it easy to dismiss as a glitch.

How the hack works

The WhisperPair attack exploits fundamental flaws in how manufacturers implemented Google’s Fast Pair specification. According to Google’s guidelines, Fast Pair devices shouldn’t accept new pairings while already connected to another device. However, the researchers found that 17 out of 25 tested devices violated this requirement, allowing silent secondary pairing without any user notification.

To execute the attack, a hacker only needs:

• A device within Bluetooth range (tested up to 46 feet)
• The target device’s Model ID (obtainable by owning the same model, intercepting pairing attempts, or querying Google’s public API)
• A low-cost device like a Raspberry Pi 4

There’s no warning, no pairing notification, and no way for users to detect that the hijacking is happening.

Which devices are affected?

The KU Leuven researchers have published a searchable database of tested devices. Here are the confirmed vulnerable models that are popular among our readers:

Sony:

• WH-1000XM6
• WH-1000XM5
• WH-1000XM4
• WH-CH720N
• WF-1000XM5

Google:

• Pixel Buds Pro 2

Other brands:

• Nothing Ear (a)
• OnePlus Nord Buds 3 Pro
• Jabra Elite 8 Active
• JBL TUNE BEAM
• Marshall MOTIF II A.N.C
• Soundcore Liberty 4 NC
• Redmi Buds 5 Pro
• Logitech Wonderboom 4

Notably, several high-profile devices tested as not vulnerable, including the Sonos Ace, Bose QuietComfort Ultra Headphones, Audio-Technica ATH-M20xBT, and Beats Solo Buds.

The researchers emphasize that the vast majority of Fast Pair devices remain untested. Just because your headphones aren’t on the list doesn’t mean they’re safe.

Is there a fix?

Google published a security advisory acknowledging the findings and says it has worked with affected manufacturers to develop patches. However, the fix requires firmware updates that most users likely won’t bother to install or even be aware of installing.

Unlike smartphone security updates, which happen automatically, headphone firmware updates typically require downloading the manufacturer’s companion app, manually checking for updates, and keeping your headphones connected during the update.

There’s also no way to disable Fast Pair on affected devices. Factory resetting your headphones will clear any existing attacker access, but the vulnerability remains, and the device can be hijacked again immediately.

What Google is saying

In a statement to WIRED, a Google spokesperson confirmed the WhisperPair findings and said the company has “not seen evidence of any exploitation outside of this report’s lab setting.” Google says it’s “constantly evaluating and enhancing Fast Pair and Find Hub security.”

However, the researchers point out that Google would have no way to observe audio accessory hijacking that doesn’t involve Google devices—meaning real-world exploitation could be happening without Google’s knowledge.

Concerningly, all of the vulnerable devices had been certified by Google’s Fast Pair Validator App and passed through Google-selected lab testing. The fact that so many implementation flaws made it through the certification process raises questions about the vetting standards.

The researchers also told WIRED they found a bypass for Google’s Find Hub tracking patch within hours of its release, though Google hasn’t commented on that claim.

What you should do

If you own any of the affected devices, here’s what the researchers recommend:

1. Check for firmware updates: Open your headphones’ companion app (Sony Headphones Connect, Jabra Sound+, JBL Headphones, etc.) and look for available updates
2. Install updates immediately: Even if this seems inconvenient, the security risk is significant
3. Enable automatic updates if available: Some apps offer this option
4. Check the WhisperPair database: See if your specific model has been tested
5. Stay vigilant: If you receive unexpected tracking notifications about your own devices, investigate rather than dismissing them

The bigger picture

The WhisperPair vulnerabilities highlight a growing tension between convenience and security in consumer technology. Google designed Fast Pair to eliminate the friction of Bluetooth pairing, but that convenience came at the cost of robust security implementation.

The researchers emphasize that Bluetooth itself isn’t vulnerable—only the Fast Pair protocol Google built on top of it. They suggest one fundamental fix: Fast Pair should cryptographically enforce device ownership and require authentication for new pairings, rather than relying on manufacturers to implement security correctly.

For now, hundreds of millions of headphones and earbuds remain vulnerable, and whether users actually receive and install the necessary patches remains uncertain. It’s yet another reminder that the “smart” features in our audio devices come with real security and privacy trade-offs. Manufacturers need to prioritize protection alongside convenience.