The flaw arises from an incomplete implementation of the Fast Pair standard. Bluetooth devices that get a Fast Pair connection request are supposed to accept only when in pairing mode. However, the researchers say that many devices fail this check and will pair regardless. WhisperPair forces the connection through via the regular Bluetooth pairing process.
Hoping for an update
When vulnerabilities are found in phone or computer software, it’s a relatively simple matter to get patches rolled out, as most devices now support automatic updates for critical issues. Accessories aren’t quite the same, though. Many people never install accessory apps on their devices, so they never move beyond the original firmware.
WhisperPair is even more problematic because you cannot disable Fast Pair functionality on supported devices. The only thing you can do is install the companion app and wait for an update. Google says it pushed a phone update to to partially protect devices devices, but the researchers tell Wired that it was a simple matter to find a workaround for that patch. Google says it has since issued a full patch for the Pixel Buds Pro 2. It may take weeks or months for all the affected devices to be fully fixed, particularly when there’s so much confusion about what needs to be fixed.
Google has said it is not aware of WhisperPair being leveraged in the wild. However, the risk of that goes up now that it’s public. If you’re worried someone has used this flaw to gain access to your headphones, all you can do is factory reset them, forcing the attacker to redo the hack. It’s also smart to keep the official app installed so you can get firmware updates as soon as they’re available.
Updated 1/16/26 with additional details from Google.