{"id":25157,"date":"2026-01-21T15:44:50","date_gmt":"2026-01-21T11:44:50","guid":{"rendered":"https:\/\/me-en.kaspersky.com\/blog\/?p=25157"},"modified":"2026-01-21T15:44:50","modified_gmt":"2026-01-21T11:44:50","slug":"whisperpair-blueooth-headset-location-tracking","status":"publish","type":"post","link":"https:\/\/me-en.kaspersky.com\/blog\/whisperpair-blueooth-headset-location-tracking\/25157\/","title":{"rendered":"Are your Bluetooth headphones spying on you?"},"content":{"rendered":"

A newly discovered vulnerability named WhisperPair can turn Bluetooth headphones and headsets from many well-known brands into personal tracking beacons \u2014 regardless of whether the accessories are currently connected to an iPhone, Android smartphone, or even a laptop. Even though the technology behind this flaw was originally developed by Google for Android devices, the tracking risks are actually much higher for those using vulnerable headsets with other operating systems \u2014 like iOS, macOS, Windows, or Linux. For iPhone owners, this is especially concerning.<\/p>\n

Connecting Bluetooth headphones to Android smartphones became a whole lot faster when Google rolled out Fast Pair, a technology now used by dozens of accessory manufacturers. To pair a new headset, you just turn it on and hold it near your phone. If your device is relatively modern (produced after 2019), a pop-up appears inviting you to connect and download the accompanying app, if it exists. One tap, and you\u2019re good to go.<\/p>\n

Unfortunately, it seems quite a few manufacturers didn\u2019t pay attention to the particulars of this tech when implementing it, and now their accessories can be hijacked by a stranger\u2019s smartphone in seconds \u2014 even if the headset isn\u2019t actually in pairing mode. This is the core of the WhisperPair vulnerability, recently discovered by researchers at KU Leuven and recorded as CVE-2025-36911<\/a>.<\/p>\n

The attacking device \u2014 which can be a standard smartphone, tablet or laptop \u2014 broadcasts Google Fast Pair requests to any Bluetooth devices within a 14-meter radius. As it turns out, a long list of headphones from Sony, JBL, Redmi, Anker, Marshall, Jabra, OnePlus, and even Google itself (the Pixel Buds 2) will respond to these pings even when they aren\u2019t looking to pair. On average, the attack takes just 10 seconds.<\/p>\n

Once the headphones are paired, the attacker can do pretty much anything the owner can: listen in through the microphone, blast music, or \u2014 in some cases \u2014 locate the headset on a map if it supports Google Find Hub. That latter feature, designed strictly for finding lost headphones, creates a perfect opening for stealthy remote tracking. And here\u2019s the twist: it\u2019s actually most dangerous for Apple users and anyone else rocking non-Android hardware.<\/p>\n

Remote tracking and the risks for iPhones<\/h2>\n

When headphones or a headset first shake hands with an Android device via the Fast Pair protocol, an owner key tied to that smartphone\u2019s Google account is tucked away in the accessory\u2019s memory. This info allows the headphones to be found later by leveraging data collected from millions of Android devices. If any random smartphone spots the target device nearby via Bluetooth, it reports its location to the Google servers. This feature \u2014 Google Find Hub \u2014 is essentially the Android version of Apple\u2019s Find My, and it introduces the same unauthorized tracking risks as a rogue AirTag<\/a>.<\/p>\n

When an attacker hijacks the pairing, their key can be saved as the headset owner\u2019s key \u2014 but only if the headset targeted via WhisperPair hasn\u2019t previously been linked to an Android device and has only been used with an iPhone, or other hardware like a laptop with a different OS. Once the headphones are paired, the attacker can stalk their location on a map at their leisure \u2014 crucially, anywhere at all (not just within the 14-meter range).<\/p>\n

Android users who\u2019ve already used Fast Pair to link their vulnerable headsets are safe from this specific move, since they\u2019re already logged in as the official owners. Everyone else, however, should probably double-check their manufacturer\u2019s documentation to see if they\u2019re in the clear \u2014 thankfully, not every device vulnerable to the exploit actually supports Google Find Hub.<\/p>\n

How to neutralize the WhisperPair threat<\/h2>\n

The only truly effective way to fix this bug is to update your headphones\u2019 firmware, provided an update is actually available. You can typically check for and install updates through the headset\u2019s official companion app. The researchers have compiled a list of vulnerable devices on their site<\/a>, but it\u2019s almost certainly not exhaustive.<\/p>\n

After updating the firmware, you absolutely must perform a factory reset to wipe the list of paired devices \u2014 including any unwanted guests.<\/p>\n

If no firmware update is available and you\u2019re using your headset with iOS, macOS, Windows, or Linux, your only remaining option is to track down an Android smartphone (or find a trusted friend who has one) and use it to reserve the role of the original owner. This will prevent anyone else from adding your headphones to Google Find Hub behind your back.<\/p>\n

The update from Google<\/h2>\n

In January 2026, Google pushed an Android update to patch the vulnerability on the OS side. Unfortunately, the specifics haven\u2019t been made public, so we\u2019re left guessing exactly what they tweaked under the hood. Most likely, updated smartphones will no longer report the location of accessories hijacked via WhisperPair to the Google Find Hub network. But given that not everyone is exactly speedy when it comes to installing Android updates, it\u2019s a safe bet that this type of headset tracking will remain viable for at least another couple of years.<\/p>\n

Want to find out how else your gadgets might be spying on you? Check out these posts:<\/p>\n