Security researchers from KU Leuven University's Computer Security and Industrial Cryptography group have uncovered a critical vulnerability in Google's Fast Pair protocol, dubbed 'WhisperPair' (CVE-2025-36911). This flaw impacts hundreds of millions of Bluetooth audio accessories from numerous manufacturers globally. The 'WhisperPair' attack exploits improper implementations of the Fast Pair specification by various vendors, allowing unauthorized devices to initiate a pairing process without user consent or knowledge, even when the accessory is not in an active pairing mode. Attackers within Bluetooth range (up to 14-15 meters) can forcibly pair with vulnerable devices in seconds using standard Bluetooth-capable hardware. Once a device is hijacked, attackers can gain full control over the accessory. This enables them to play disruptive audio, activate built-in microphones for eavesdropping on conversations, or even intercept calls. Furthermore, if the hijacked accessory supports Google's Find Hub network and has never been paired with an Android device, an attacker can link it to their own Google account to covertly track the victim's location. While Google has issued some fixes, including for its Pixel Buds Pro 2, researchers found a bypass for the Find Hub tracking patch. The vulnerability affects a wide array of devices from major brands like Google, Sony, Jabra, JBL, Logitech, Marshall, Nothing, OnePlus, Soundcore, and Xiaomi. The researchers responsibly disclosed their findings to Google in August 2025, and Google classified the issue as critical, awarding a $15,000 bug bounty. To address the vulnerability, users are urged to immediately check for and install firmware updates from their headphone or speaker manufacturers via companion apps. Simply updating the phone's operating system or disabling Fast Pair on the phone is insufficient, as the flaw resides in the accessory's firmware.