Security researchers from Belgium’s KU Leuven University uncovered a major flaw in Google’s Fast Pair Bluetooth standard, dubbed WhisperPair. The vulnerability allows attackers to hijack compatible devices within 14 meters, granting them microphone access and location tracking. Over a dozen devices from manufacturers like Sony, Nothing, JBL, and Google itself are affected.

The bug stems from an incomplete implementation of the Fast Pair protocol. Devices are supposed to accept connection requests only when in pairing mode, but many skip this check. An attacker can force a connection in about 10 seconds and then eavesdrop or track the user via their headphones or earbuds.

Google has acknowledged the flaw and notified partners, but patches must come from individual manufacturers. While Google updated its own devices, researchers found a workaround. Since Fast Pair can’t be disabled, users must install companion apps and wait for firmware updates. Factory resets may temporarily thwart an existing attack.