WhisperPair: Bluetooth Headset Tracking Vulnerability
🔒 A newly disclosed flaw called WhisperPair (CVE-2025-36911) lets an attacker pair with many Bluetooth headsets by abusing Google Fast Pair requests, even when accessories are not in pairing mode. In roughly 10 seconds and within about 14 meters, a hostile device can assume owner-level privileges, enabling microphone access, audio control, or remote location tracking via Google Find Hub. iPhone and other non‑Android users face elevated risk because an attacker can register the headset to their Google account if it has never been paired to Android. Mitigations include installing vendor firmware updates, performing a factory reset, or using a trusted Android device to claim ownership if no patch is available.
