Beware of Bluetooth headphones: researchers discover you can be spied on without you knowing

In the metro, while walking, at home, at work... Bluetooth headphones have become a silent, reassuring presence and an extension of our smartphone. This is precisely why the discovery made by a group of European researchers is a cause for concern.

According to the researchers, a vulnerability can turn this everyday accessory into a tool for tracking and eavesdropping.

The flaw is called WhisperPair, and was identified by researchers at KU Leuven University in Belgium. It concerns the Google Fast Pair system, used by a large number of wireless headsets and earphones. The name means little to most people, but represents the precise moment when your phone instantly 'sees' your headphones as soon as you open their case.

When convenience becomes a problem

The heart of the problem is simple, and that's exactly what makes it troubling. Some Bluetooth headsets accept connection requests even when they shouldn't, i.e. without the user having deliberately initiated the pairing process.

In practice, if a malicious person is nearby (we're talking about a distance comparable to that of a bus stop), they can pair your earphones with their own device in a matter of seconds, without any obvious notifications or clear warnings.

Once the process has begun, the accessory is no longer under your control. The attacker can play sudden sounds, interfere with the audio and, above all, listen in on what's going on around you, and in particular with models equipped with a microphone. Private conversations, phone calls, household noises...: and you won't realize it immediately.

A more subtle risk

There's one aspect that worries researchers even more, and that's location tracking. Indeed, some Fast Pair-enabled earphones also work with 'Find My Device' , Google's tracking system designed to help find lost objects.

If a pair of headphones has never been linked to a Google account, an attacker can do it for you. From then on, by exploiting the network of Android smartphones passing nearby, the victim's movements can be reconstructed. Not in real time like GPS, but with enough precision to understand their habits, routes and the places they frequent. The paradox is clear: a feature originally created to help can quickly become a surveillance tool.

A widespread problem, not an isolated case

The WhisperPair flaw does not concern a single model or niche manufacturer. According to the study, many vulnerable devices have passed quality tests and certification processes, including those linked to Google Fast Pair. Among the brands involved are some household names, including Sony, JBL, Xiaomi, OnePlus, Logitech and Google itself.

The flaw was reported in August 2025 and is classified as critical, under the code CVE-2025-36911. Some corrective updates have already been released, but the researchers themselves recommend caution: not all patches appear to be definitive.

Be cautious

And be careful, because you don't really need an Android smartphone to be exposed. Even iPhone owners can find themselves in a vulnerable position if they use Fast Pair-enabled third-party headphones and have never linked them to a Google account. The critical point, in fact, is not the phone, but the Bluetooth implementation in the earphones themselves.

To be successful, the operation must be carried out quickly and close to the victim. What's for more, when the headphones are switched off and placed in their case, the attack cannot be launched.

Today, awareness remains the only real defense. Updating the firmware on your headphones, using official applications to check for active connections and not delaying system updates are currently the most practical ways of reducing the risks.

Source : Whisperpair.eu

(MP/©GreenMe.it/Translation and adaptation: The Global Lifestyle/Pic: Unsplash)