A security flaw dubbed WhisperPair has put the industry on alert because it allows hackers to hijack Bluetooth headphones and speakers that use Google's Fast Pair, with the risk of espionage, audio injection, and even tracking in some cases. The problem isn't "Bluetooth in general," but how many manufacturers implemented Fast Pair, leaving the door open to attacks without the user even touching the pairing button.

Hidden access point to your phone

Google Fast Pair was created to make connecting headphones to Android/ChromeOS almost instantaneous, with that "tap to pair" pop-up that appears as soon as you open the case or turn on the headphones.

The unsettling twist: researchers at KU Leuven (Belgium) found that, on several certified accessories, Fast Pair can accept pairing requests even if the device isn't actually in pairing mode, something that theoretically shouldn't happen.

In practice, this means that a nearby attacker (within Bluetooth range) can try to force a connection and "steal" your audio accessory in seconds, even if you were already using it. And the worst part: once the attacker manages to pair the devices, they can gain access "as if they owned the device," with actions ranging from interrupting/injecting audio to, in models with microphones, attempting to reach scenarios of unauthorized listening (depending on the device and the attack).

Which brands are affected by the security flaw?

The public report on WhisperPair points to 17 affected models across 10 companies that received Fast Pair certification, including Sony, Jabra, JBL, Marshall, Xiaomi, Nothing, OnePlus, Soundcore, Logitech, and Google itself. Engadget also reports that Google states its affected Pixel Buds are already patched and protected, while other partners continue to investigate or deploy fixes.

The relevant point here (and the reason this is escalating to "millions"):Fast Pair is embedded in a huge number of modern headphones and speakers,so a repeated implementation flaw across brands becomes a problem with massive reach. And yes, this doesn't feel like your typical "niche" bug: the attack becomes plausible precisely because of the everyday nature of the scenario (people walking around with headphones on in public spaces).

How to protect your device?

Researchers describe how an attacker within Bluetooth range can hijack the device and, depending on the model, activate sensitive functions (like the microphone) or manipulate the audio. There's also an extra angle: in certain cases, if the accessory hadn't been previously linked to an account, an attacker could associate it with their own account and use location features related to Find Hub/Find My Device to track the device, although Google said it has deployed mitigations and the researchers reported finding a quick bypass.