Advertisement
Wireless earbuds can be hacked: Here’s how to protect yourself
25th January, 2026 05:09 PM
A handy feature that lets you easily pair earbuds and headphones to Android phones could also let hackers track you and listen in on nearby conversations, security researchers recently found.
While that sounds scary and it is the attack is limited in its practicality, and our testing shows that headphones make pretty crummy spy tools.
The best way to stay safe from this attack (and other Bluetooth vulnerabilities) applies to most of the tech devices we test and recommend: Always install security updates. Here’s what to do.
What you need to know
Belgian researchers found that the Android feature, called Fast Pair, can be exploited by attacks that would allow hackers to connect with Bluetooth audio devices paired to a smartphone.
The researchers suggested that it was possible to access a paired phone’s onboard microphones and listen in on nearby conversations.
Worse, if a certain Bluetooth device had never been connected with a Google account, the researchers showed that it was possible to secretly pair the device with a malicious Google account and then track it remotely through Google’s Find Hub.
That means an attacker would be able to see your location when you’re carrying an affected pair of earbuds or headphones.
More than a dozen pairs of headphones and earbuds can be exploited by the WhisperPair attacks, including two of our noise-cancelling headphone and earbud picks, the Sony WH-1000XM6 and WF-1000XM5. (The WH-1000XM5 is also our upgrade pick for the best wireless headphones.) See the full list of known affected devices.
According to Wired, which originally reported the researchers’ findings, Google and many headphone manufacturers have acknowledged the vulnerabilities and addressed the issues with patches and firmware updates.
We found that our picks had received security updates from Sony, but we were unable to confirm whether they addressed this specific issue. We reached out to Sony for comment, but have not yet heard back.
Google’s Pixel Buds Pro 2, a pair of noise-cancelling earbuds that we think are worth considering, was also vulnerable to attack. A Google spokesperson told us:
“We worked with these researchers to fix these vulnerabilities, and we have not seen evidence of any exploitation outside of this report’s lab setting.
As a best security practice, we recommend users check their headphones for the latest firmware updates. We are constantly evaluating and enhancing Fast Pair and Find Hub security.”
Google says it contacted manufacturers about the issue in September.
Should you be worried?
These attacks sound scary, but they’re likely not as dangerous as they might seem. For starters, none of these attacks can be performed remotely: An attacker must be within range of the Bluetooth device they’re targeting. The earbuds or headphones must also be connected and actively in use.
According to Wirecutter writer and audio expert Lauren Dragan, most modern headphones, including most of the devices vulnerable to the WhisperPair attack, go into standby or sleep mode when folded up or removed by the wearer to save power.
The researchers told Wirecutter that they did not evaluate how an attack would work with the headphones in standby mode.
To stop someone from maliciously tracking a Bluetooth device you own, follow these steps:
- Update the device’s firmware.
- Perform a factory reset.
- Use Fast Pair to connect your device with an Android phone or Chromebook. This should associate the device with your Google account.
Also, if someone has hijacked your Bluetooth device, you should see an unwanted-tracker alert on your phone although the researchers pointed out that people would see their own device listed in such an alert and likely ignore the warning.
A hacker probably wouldn’t be able to pick up much audio, however.
Headphone mics are designed to pick up the voice of the wearer and filter out other noises.
She found that once the headphones were off her ears, the mic wasn’t able to capture clear audio. Her voice was partly audible in the recording when the headphones were still on her neck, but even that was difficult to hear. It’s unlikely that stray headphones could pick up your own voice, let alone a nearby conversation.
“In our tests, we validated whether microphone access was possible; we didn’t measure at what distances it would still pick up a conversation,” said Sayon Duttagupta, one of the researchers.
Wireless earbuds and headphones will always be more vulnerable to security issues than wired models. We saw an attack last June that affected more devices than WhisperPair and could also potentially initiate phone calls, though as with WhisperPair, the threat to most people was limited. Apple AirPods have also been patched against similar threats.
If you tend to share highly sensitive information over the phone, we recommend that you use a wired headset instead of a Bluetooth one.
Update your devices
Duttagupta told us that this research demonstrates how conveniences like Fast Pair can introduce vulnerabilities where “even well-intentioned features can turn everyday personal devices into tools for surveillance and abuse.” But just as importantly, Duttagupta stressed, “while we all update our phones and computers, accessories should also be updated.”
Most devices with screens and an internet connection will alert you when an update is available, but devices such as speakers, headphones, smart bulbs, and routers typically require extra steps to install a firmware update.
To update accessories like these, you usually have to download the device’s companion smartphone app and go through setup activities and maybe even create an account.
Though that can be annoying, keeping your devices updated during occasions such as a digital spring cleaning is key to preventing attackers from exploiting security holes. Install the necessary apps (and add any new account information to your password manager), and then check for updates.
And if you have an especially old accessory, consider upgrading hackers have been known to target ageing devices.
