According to research published by KU Leuven University (Belgium), a group of vulnerabilities collectively known as WhisperPair affects a wide range of true wireless earbuds from major brands such as Bose, Sony, JBL, Marshall, Xiaomi, and Jabra. A list of affected earbuds has been published on the WhisperPair website.

Fast Pair was introduced in 2017 and is considered Google’s answer to Apple’s seamless AirPods experience. In practice, it marked a turning point for the Android ecosystem by transforming the previously cumbersome, multi-step Bluetooth pairing process into a one-tap action. However, this convenience also introduced security risks.

Essentially, Fast Pair allows smartphones to instantly detect and connect to nearby wireless earbuds. However, because it is designed to prioritize speed and ease of use, it does not always require strict authentication—an important requirement for stronger security.

The issue originates from certain Bluetooth chip designs, most notably those from Airoha Technology, which prioritize fast connection speeds over thorough security checks. The research team tested 19 different devices, most of which used Airoha chips, and found that 17 of them were “vulnerable.”

According to the researchers, within Bluetooth range (approximately 15 meters), an attacker could exploit the WhisperPair vulnerability to automatically connect to a victim’s earbuds without their knowledge. Once connected, the attacker could play audio through the earbuds, record sound via the microphone, or even track the user’s location.

PhoneArena notes that WhisperPair could be exploited at various levels. At a low level, it could be used as a prank—such as blasting loud music through someone’s earbuds. At a more serious level, it poses a threat to user privacy and security. Given that many major brands rely on Fast Pair and Airoha chips, millions of users could be at risk.

The researchers point out that mitigation is particularly challenging. Unlike smartphones, which frequently prompt users to install system updates, users rarely open companion apps for their earbuds—and some models do not even have such apps. As a result, millions of users may remain vulnerable without realizing that a firmware update is waiting for them. The team therefore recommends that users regularly check and update their earbuds’ software to the latest version.

“We have worked with researchers to address these security vulnerabilities. So far, we have seen no evidence of exploitation outside laboratory conditions. We also continuously evaluate and strengthen Fast Pair’s security,” a Google representative said.

Airoha Technology and the manufacturers of affected products have not yet commented.

Bảo Lâm (theo PhoneArena, WhisperPair)