Your Bluetooth Earbuds Can Be Hacked: WhisperPair Attack Explained and How to Stay Safe

Wireless earbuds with cybersecurity hacking threat overlay — WhisperPair Bluetooth vulnerability

If you own a pair of Sony WH-1000XM6, WF-1000XM5, Google Pixel Buds Pro 2, or any of a dozen other popular Bluetooth headphones, there is something you need to do today: update your firmware. Belgian security researchers have discovered a series of vulnerabilities — collectively called WhisperPair — in Google's Android Fast Pair feature that could allow hackers to track your location and potentially access your microphone without your knowledge.

What Is the WhisperPair Attack?

WhisperPair exploits Google's Fast Pair, the Android feature that makes it easy to quickly pair Bluetooth accessories with your phone by holding them close together. Researchers from Belgium found that this same convenience feature can be abused in three serious ways:

  • Location tracking: If a Bluetooth device has never been associated with a Google account, an attacker can secretly pair it with their own malicious Google account. This lets them track the device's location in real time through Google's Find Hub — meaning they can track you whenever you carry those earbuds.
  • Microphone access: The researchers demonstrated it was theoretically possible to connect to a paired phone's onboard microphones and listen in on nearby conversations.
  • Unauthorised pairing: Attackers within Bluetooth range can connect to your audio devices without your knowledge or consent.

Which Devices Are Affected?

More than a dozen popular headphones and earbuds are vulnerable to WhisperPair attacks, including:

  • Sony WH-1000XM6 (top-ranked noise-cancelling headphones)
  • Sony WF-1000XM5 (flagship earbuds)
  • Google Pixel Buds Pro 2
  • Several other widely used Bluetooth audio devices

A full list of affected devices is available at whisperpair.eu. Google notified manufacturers about the issue in September 2024, and both Google and Sony have since issued patches and firmware updates to address the vulnerabilities.

Should You Actually Be Worried?

The short answer: it is serious enough to act on, but not a reason to panic. Here is why:

The attack requires physical proximity

None of the WhisperPair attacks can be performed remotely. An attacker must be within Bluetooth range of your device — typically about 10 metres — and the device must be connected and actively in use. This significantly limits the realistic threat compared to, say, a remote software hack.

Headphone mics are poor spy tools

Wirecutter's audio expert Lauren Dragan tested this extensively with the Sony WH-1000XM6. She found that once the headphones were off the wearer's ears, the microphone was largely ineffective at capturing clear audio. Even when worn around the neck, speech was difficult to hear clearly. Most modern headphones go into standby mode when removed anyway, which would interrupt any attempted surveillance.

Patches are already available

Google stated: "We worked with these researchers to fix these vulnerabilities, and we have not seen evidence of any exploitation outside of this report's lab setting." Both Google and major manufacturers have issued updates. The main risk is for users who have not yet updated their devices.

How to Protect Yourself Right Now

Follow these three steps immediately if you own any of the affected devices:

  1. Update your headphone firmware — Download the manufacturer's companion app (e.g., Sony Headphones Connect, Google Pixel Buds app) and check for available firmware updates. Install them immediately.
  2. Perform a factory reset on the affected device to clear any potentially unauthorised pairings.
  3. Reconnect via Fast Pair — Use Fast Pair to re-pair your device with your Android phone or Chromebook. This formally associates the device with your Google account, which prevents it from being secretly linked to someone else's account.
"While we all update our phones and computers, accessories should also be updated." — Sayon Duttagupta, WhisperPair researcher

The Bigger Picture: IoT Security Is Still a Blind Spot

WhisperPair is part of a broader pattern. Most people diligently update their smartphones and laptops, but Bluetooth accessories — headphones, smart speakers, routers, earbuds — often run on old firmware for years without an update. These devices talk to your phone constantly and have access to your microphone, your location, and sometimes your home network.

Researcher Sayon Duttagupta put it clearly: "Even well-intentioned features can turn everyday personal devices into tools for surveillance and abuse." The convenience of Fast Pair, Bluetooth pairing shortcuts, and similar features always comes with a corresponding attack surface.

If you carry sensitive conversations over the phone — whether business calls, medical discussions, or private matters — consider using a wired headset instead of Bluetooth for those specific situations.

How to Stay on Top of Accessory Updates

Unlike phones that notify you of updates automatically, accessories require manual attention. Here is a simple routine:

  • Download the companion app for every Bluetooth device you own (Sony Headphones Connect, Bose Music, JBL Headphones, etc.)
  • Schedule a monthly check in those apps to look for firmware updates
  • Enable any automatic update settings where available
  • When in doubt, a factory reset + fresh pairing clears most security concerns

The Bottom Line

Bluetooth earbuds can be hijacked to track your location and access your mic — via a flaw in Android's Fast Pair. Sony WH-1000XM6, Pixel Buds Pro 2, and 10+ other popular headphones are affected. The good news: patches are out, and protecting yourself takes less than five minutes. Open your headphone app, update the firmware, factory reset, and re-pair. Do it today.