KU Leuven University 的 Computer Security and Industrial Cryptography group 公开 “WhisperPair”：Google 的 one-tap Fast Pair Bluetooth protocol 在 17 款（17 models）耳机/喇叭配件的实作上有缺陷，涉及 10 家品牌（Sony, Jabra, JBL, Marshall, Xiaomi, Nothing, OnePlus, Soundcore, Logitech, Google）。在 Bluetooth 距离内约 15.2 m（50 ft），攻击者可在 10–15 s（10–15 seconds；文中亦称 <15 seconds）内无声配对并劫持，干扰音讯流/通话、注入任意音量音讯，并在有麦克风的装置上进行窃听。

实验用低成本 Raspberry Pi 4，对 16 家供应商的 25 个已配对 Fast Pair 装置尝试二次配对，结果 “多数”（majority）装置/供应商可被利用；测得可在约 14 m（46 ft）距离完成。攻击关键是取得该型号的 Model ID：可透过购买同型号、在配对尝试时由装置泄露、或用公开的 Google API 枚举所有可能 Model ID。

更高风险情境出现在 Google Pixel Buds Pro 2 与 5 款 Sony 型号：若配件未先绑定 Google account（例如仅与 iPhone 使用），攻击者可将装置绑到自己的 Google account，并用 Find Hub 进行高解析度位置追踪；受害者收到反跟踪通知时，介面可能显示是「自己的装置」在追踪而误判。时序上，WIRED 文章标示发布时间为 Jan 15, 2026 07:00（原文；时区未标示；换算 UTC+8 为 15:00 若原时区为 UTC-5，或 20:00 若为 UTC-8）；研究者于 2025 年 8 月（August 2025）向 Google 通报后，Google 发布 advisory 并推送修补与 Android 的 Find Hub 更新，但修补多需透过厂商 app 安装，普及可能延迟数月到数年，且研究者称在 Google 通知其修补数小时后已找到 Find Hub 修补的 bypass。

KU Leuven University’s Computer Security and Industrial Cryptography group disclosed “WhisperPair,” flaws in how Google’s one-tap Fast Pair Bluetooth protocol is implemented by 17 audio device models from 10 brands (Sony, Jabra, JBL, Marshall, Xiaomi, Nothing, OnePlus, Soundcore, Logitech, Google). Within Bluetooth range of about 15.2 m (50 ft), an attacker can silently pair in 10–15 s (also described as <15 s) and hijack audio: disrupt streams/calls, inject audio at chosen volume, and—on devices with microphones—eavesdrop.

In testing, the team used a low-cost Raspberry Pi 4 against 25 already-paired Fast Pair devices from 16 vendors and found the majority vulnerable. They completed takeovers from about 14 m (46 ft). The attack requires a model-specific Model ID, obtainable by owning the same model, sometimes leaked during pairing attempts, or derivable by querying a publicly available Google API for all possible Model IDs.

A higher-impact case affects Google Pixel Buds Pro 2 and five Sony models: if an accessory is not yet linked to a Google account (e.g., used only with iPhone), an attacker can both pair and bind it to the attacker’s Google account, enabling Find Hub geolocation tracking; safety alerts may appear to warn that the victim’s own device is tracking them. Timeline: the WIRED article is dated Jan 15, 2026 07:00 (original; timezone not stated; UTC+8 is 15:00 if UTC−5, or 20:00 if UTC−8). Researchers disclosed in Aug 2025; Google issued an advisory and fixes, but patching via vendor apps is inconsistent, and researchers reported a Find Hub bypass within hours of Google sharing its fix.