A Critical Bluetooth Flaw Puts Millions at Risk in Northeast India
Security researchers have uncovered a significant vulnerability in Google's Fast Pair protocol, potentially exposing hundreds of millions of Bluetooth audio devices across the globe, including those used in Northeast India. This flaw, known as WhisperPair (CVE-2025-36911), can allow hackers to hijack devices, track users, and eavesdrop on conversations.
Improper Implementation of Fast Pair Protocol
The root cause of this vulnerability lies in the improper implementation of the Fast Pair protocol in numerous flagship audio accessories. Despite the protocol's specification stating that Bluetooth devices should ignore pairing requests when not in pairing mode, many manufacturers have failed to enforce this check in their products.
Attackers' Capabilities
Attackers can exploit WhisperPair using any Bluetooth-enabled device to forcibly pair with vulnerable accessories from various manufacturers, including Google, Jabra, JBL, Logitech, Marshall, Nothing, OnePlus, Sony, Soundcore, and Xiaomi, within a range of up to 14 meters and without user interaction or physical access. Once paired, attackers gain complete control over the device, enabling them to eavesdrop on conversations or blast audio at high volumes.
Location Tracking and Privacy Concerns
WhisperPair also allows attackers to track their victims' locations using Google's Find Hub network if the accessory has never been paired with an Android device. The victim may receive an unwanted tracking notification, which, if dismissed, could enable an attacker to continue tracking the user for an extended period.
Implications for Northeast India and Beyond
The implications of this vulnerability extend beyond Northeast India, as it affects users across the globe, regardless of their smartphone operating system. The widespread use of Fast Pair-enabled Bluetooth devices in everyday life means that the risk of eavesdropping, hijacking, and location tracking is significant for millions of users, including those in Northeast India.
Moving Forward
Google has issued security patches for affected devices during a 150-day disclosure window, but updates may not yet be available for all vulnerable devices. Users are advised to install firmware updates from their device manufacturers to protect themselves against WhisperPair attacks. Disabling Fast Pair on Android phones does not prevent the attack, as the feature cannot be disabled on the accessories themselves.