Critical Fast Pair flaw lets attackers hijack Bluetooth headsets and eavesdrop

Security researchers discovered a critical vulnerability in Google’s Fast Pair protocol that can let attackers hijack Bluetooth audio accessories, track users, and eavesdrop on conversations, affecting hundreds of millions of headphones, earbuds, and speakers worldwide.

KEY FACTS

• Incident Critical Fast Pair implementation flaw enables forced pairing and device hijack
• Affected devices Hundreds of millions of headphones, earbuds, and speakers from multiple manufacturers
• CVE CVE-2025-36911
• Mitigation Firmware updates from device makers are required to fix vulnerable accessories

A technical analysis by KU Leuven’s Computer Security and Industrial Cryptography group KU Leuven COSIC reported the vulnerability stems from improper implementation of the Fast Pair protocol. The specification says accessories must ignore pairing requests when not in pairing mode. Many flagship audio accessories do not enforce that check, allowing unauthorised devices to initiate pairing and then complete a regular Bluetooth pairing after receiving a reply.

Attackers can use any Bluetooth capable device to forcibly pair with vulnerable accessories from Google, Jabra, JBL, Logitech, Marshall, Nothing, OnePlus, Sony, Soundcore, and Xiaomi at ranges up to 14 meters within seconds and without user interaction or physical access.

After pairing an attacker gains control of the audio device and can play loud audio or access the microphone to eavesdrop. The flaw can also enable location tracking through Google’s Find Hub network when an accessory has never been paired with an Android device by adding the accessory to the attackers Google account. Victims may receive a tracking notification that displays their own device which could lead them to ignore the alert.

Google awarded the researchers a $15,000 bounty and coordinated with manufacturers to release security patches during a 150 day disclosure window. Security updates addressing the flaw may not yet be available for all affected devices. The only effective defence is installing firmware updates from device makers. Disabling Fast Pair on Android phones does not prevent the attack because the feature cannot be disabled on the accessories.

WHY IT MATTERS

Owners of vulnerable Bluetooth audio accessories face risks of silent hijacking, eavesdropping, and long term tracking unless manufacturers issue and users install firmware updates. Users should follow vendor guidance and apply updates when they become available.