Sony, Anker, and other headphones have a serious Google Fast Pair security vulnerability

Several Bluetooth audio devices from companies like Sony, Anker, and Nothing are susceptible to a new flaw that can allow attackers to listen in on conversations or track devices that use Google’s Find Hub network, as reported by Wired.

Researchers from KU Leuven University’s Computer Security and Industrial Cryptography group in Belgium discovered several vulnerabilities in Google’s Fast Pair protocol that can allow a hacker within Bluetooth range to secretly pair with some headphones, earbuds, and speakers. The attacks, which the researchers have collectively dubbed WhisperPair, can even be used on iPhone users with affected Bluetooth devices despite Fast Pair being a Google-specific feature.

Fast Pair streamlines Bluetooth pairing and lets wireless audio accessories connect to Android or Chrome OS devices by simply tapping them together. But the researchers found that many devices don’t implement Fast Pair correctly, including a Google specification that says Fast Pair devices shouldn’t be able to connect to a new device while already paired to another.

The researchers tested their WhisperPair attacks on over two dozen Bluetooth devices and were successful in hacking 17 of them. They were able to play their own audio through the compromised headphones and speakers at any volume, intercept phone calls, and even eavesdrop on conversations using the devices’ microphones.

A more serious issue was found to affect five Sony products and Google’s Pixel Buds Pro 2. If the devices weren’t previously connected to an Android device and linked to a Google account (which isn’t required when using them with iPhones), WhisperPair could be used to pair and link them to a hacker’s Google account that would be recognized as the device’s owner. That would allow a hacker to use Google’s Find Hub network to track the user’s location and movements through their headphones, assuming smartphone notifications warning that a device was tracking them were dismissed as errors.

A list of the affected devices from 10 different companies can be found here, which includes the Sony WH-1000XM6, WH-1000XM5, and WH-1000XM4 headphones, and the Nothing Ear (a), OnePlus Nord Buds 3 Pro, and Anker Soundcore Liberty 4 NC earbuds.

The researchers reported their findings to Google in August 2025. The company then recommended fixes to its “accessory OEM partners” in September and updated its certification requirements to mitigate similar issues going forward. “We worked with these researchers to fix these vulnerabilities, and we have not seen evidence of any exploitation outside of this report’s lab setting,” Google spokesperson Ed Fernandez says in a written statement to The Verge.

The recommended fixes resolve all the Fast Pair issues once a software update has been installed, but Google implemented an additional Find Hub network update to prevent WhisperPair from being used to track certain Bluetooth devices that haven’t been patched. The researchers told Wired it only took them a few hours to bypass that patch and continue their tracking. According to Fernandez, the researchers used “old/not updated accessory OEM firmware in order to execute their workaround,” and Google is “looking into the bypass for this additional fix,” which was only submitted earlier this week.

The Fast Pair feature can’t be disabled, so the only way to protect against WhisperPair attacks is for users to install firmware updates released by manufacturers that resolve the vulnerabilities. The Verge reached out to all the manufacturers with affected hardware to confirm the progress of fixes.

Spenser Blank, the head of marketing & communications for OnePlus North America, told The Verge in a written statement that the company “takes all security reports seriously” and that it’s “currently investigating this matter and will take appropriate action to protect our users’ security and privacy.”

In a written statement shared by Anker’s Adam Weissman to The Verge, the company says it’s “aware of the Bluetooth issue related to Google Fast Pair and our team is working on a software update to address it. The fix will be delivered via an OTA update through the Soundcore app following standard testing and validation. We’ll share more details as the update becomes available.”

Carole Campbell, Harman’s executive director of global communications, says in a written statement to The Verge that updates for affected JBL products should be released in the coming weeks. “Google has advised JBL about potential security vulnerabilities that could impact devices including headphones and speakers. We have received the security patches from Google and the software will be updated via JBL apps over the next few weeks. JBL remains committed to delivering high-quality audio experiences that prioritize both performance and user safety!”

Malena Heed, Marshall’s VP of communications and sustainability, says in a written statement to The Verge that updates addressing the vulnerability were released in November. “We can confirm that Marshall has issued the necessary firmware updates and security patches to address the headphones potentially affected. These updates have been available since November and have been offered to all users since then. While this is an industry-wide issue, we take it seriously and are working closely with Google to reduce the risk of similar vulnerabilities in the future.”

Lewis Hopkins, the senior global PR manager for Nothing, says most of the company’s headphones have firmware updates addressing the issue, while others are still in testing, in a written statement to The Verge. “We are aware of a reported security vulnerability related to Google Fast Pair. The Nothing product team has already initiated a firmware update to address the issue. We can confirm that the following Nothing and CMF audio products released in 2025 have already completed the fix. By updating to the specified firmware version (below) or later, users can avoid this vulnerability.

For Nothing Ear (a), the firmware update is currently in testing. We plan to begin rolling out the update by early February, and all remaining supported products will complete the update rollout by the end of February. Ear (1) requires a longer period for verification, once the update is ready we will communicate this to users. We recommend all users keep their devices updated to the latest firmware to ensure the most secure experience. Thank you for your trust and continued support.”

We will update this story as other companies respond.

Update, January 27th: Added comments from Marshall and Nothing.

Update, January 19th: Added comments from Anker and Harman.