We wear Bluetooth earphones every day, often without noticing. On the subway, while walking, at home, at work. They have become a silent and reassuring presence, a small extension of our smartphone. Precisely for this reason the discovery made by a group of European researchers makes us think: a vulnerability can turn these common accessories into tracking and listening tools.
The flaw is called WhisperPair and was identified by researchers at the University of Louvain, Belgium. It’s about the quick coupling system Google Fast Pairused by many wireless earphones and headphones. A name that means little to most, but which is actually behind that moment in which the phone immediately “sees” the headphones as soon as the case is opened.
When convenience becomes a problem
The heart of the problem is simple, and this is precisely what makes it disturbing. Some Bluetooth headsets accept connection requests even when they shouldn’tthat is, without the user having voluntarily initiated the pairing.
In practice, if a malicious person is nearby – we are talking about a distance comparable to that of a bus stop – he can Pair your earbuds to your device in secondswithout obvious notifications, without clear warnings.
At that point the accessory is no longer really under your control. The attacker can make sudden sounds, disturb the audio, but above all, in models equipped with a microphone, listen to what is happening around you. Private conversations, phone calls, household noises. All without you immediately realizing it.
The subtlest risk
There is an aspect that worries researchers even more, and it is linked to localization. Some Fast Pair compatible earphones also work with FindHubGoogle’s tracking system designed to find lost items.
If a pair of headphones has never been associated with a Google account, an attacker can do it for you. From that moment, taking advantage of the network of Android smartphones that pass nearby, the victim’s movements can be reconstructed. Not in real time like a GPS, but with sufficient precision to understand habits, routes and frequented places. The paradox is clear: a function created to help can become a surveillance tool.
A widespread problem, not an isolated case
The WhisperPair vulnerability does not affect a single model or niche manufacturer. According to the study, many vulnerable devices have passed quality testing and certification processesincluding those related to Google Fast Pair. Among the brands involved there are names that are also well known to the Italian public, such as Sony, JBL, Xiaomi, OnePlus, Logitech and the same Google.
The flaw was reported in August 2025 and is rated critical with the code CVE-2025-36911. Some corrective updates have already arrived, but the researchers themselves urge caution: .
Who should pay more attention and why it’s not just about Android
An often overlooked detail is that . iPhone users can also be vulnerable if they use third-party Fast Pair-compatible earphones and have never linked them to a Google account. The critical point, in fact, is not the telephone, but the implementation of Bluetooth in the earphones themselves. And this makes the problem transversal, difficult to perceive and even easier to ignore.
We are not faced with a science fiction attack or a movie scenario. The operation must take place quickly and close to the victim. Furthermore, when the earphones are closed in the case, the attack cannot start. Having said that, awareness remains the only real defense. Updating the earphones’ firmware, using official apps to check active connections and not postponing system updates is today the most concrete way to reduce risks.
For those who have already successfully paired the earphones to their account, keep their software and apps up to date, and pay attention to anomalous behavior, there is no reason to be alarmed. But this story reminds us of something important: even the smallest objects, the ones we take for granted, can tell a lot about us.
