Now would be a good time to update all your Bluetooth audio devices. On Thursday, Wired reported on a security flaw in 17 headphone and speaker models that could allow hackers to access your devices, including their microphones. The vulnerability stems from a faulty implementation of Google's one-tap (Fast Pair) protocol.

Security researchers at Belgium's KU Leuven University Computer Security and Industrial Cryptography group, who discovered the security hole, named the flaw WhisperPair. They say a hacker within Bluetooth range would only require the accessory's (easily attainable) device model number and a few seconds.

"You're walking down the street with your headphones on, you're listening to some music. In less than 15 seconds, we can hijack your device," KU Leuven researcher Sayon Duttagupta told Wired. "Which means that I can turn on the microphone and listen to your ambient sound. I can inject audio. I can track your location." The researchers notified Google about WhisperPair in August, and the company has been working with them since then.

Fast Pair is supposed to only allow new connections while the audio device is in pairing mode. (A proper implementation of this would have prevented this flaw.) But a Google spokesperson told Engadget that the vulnerability stemmed from an improper implementation of Fast Pair by some of its hardware partners. This could then allow a hacker's device to pair with your headphones or speaker after it's already paired with your device.

"We appreciate collaborating with security researchers through our Vulnerability Rewards Program, which helps keep our users safe," a Google spokesperson wrote in a statement sent to Engadget. "We worked with these researchers to fix these vulnerabilities, and we have not seen evidence of any exploitation outside of this report's lab setting. As a best security practice, we recommend users check their headphones for the latest firmware updates. We are constantly evaluating and enhancing Fast Pair and Find Hub security."

The researchers created the video below to demonstrate how the flaw works

In an email to Engadget, Google said the steps required to access the device’s microphone or audio are complex and involve multiple stages. The attackers would also need to remain within Bluetooth range. The company added that it provided its OEM partners with recommended fixes in September. Google also updated its Validator certification tool and its certification requirements.

The researchers say that, in some cases, the risk applies even to those who don't use Android phones. For example, if the audio accessory has never been paired with a Google account, a hacker could use WhisperPair to not only pair with the audio device but also link it to their own Google account. They could then use Google's Find Hub tool to track the device's (and therefore your) location.

Google said it rolled out a fix to its Find Hub network to address that particular scenario. However, the researchers told Wired that, within hours of the patch’s rollout, they found a workaround.

The 17 affected devices are made by 10 different companies, all of which received Google Fast Pair certification. They include Sony, Jabra, JBL, Marshall, Xiaomi, Nothing, OnePlus, Soundcore, Logitech and Google. (Google says its affected Pixel Buds are already patched and protected.) The researchers posted a search tool that lets you see if your audio accessories are vulnerable.

In a statement sent to Engadget, OnePlus said it's investigating the issue and "will take appropriate action to protect our users' security and privacy." Marshall said it patched the issue in November and is working with Google to avoid similar issues in the future (see full statement below). We also contacted the other accessory makers and will update this story if we hear back.

The researchers recommend updating your audio devices regularly. However, one of their concerns is that many people will never install the third-party manufacturer's app (required for updates), leaving their devices vulnerable.

The full report from Wired has much more detail and is worth a read.

Update, January 15 2026, 4:04PM ET: “We can confirm that Marshall has issued the necessary firmware updates and security patches to address the headphones potentially affected,” a company representative told Engadget. “These updates have been available since November and have been offered to all users since then. While this is an industry-wide issue, we take it seriously and are working closely with Google to reduce the risk of similar vulnerabilities in the future.”

This article originally appeared on Engadget at https://www.engadget.com/cybersecurity/flaw-in-17-google-fast-pair-audio-devices-could-let-hackers-eavesdrop-194613456.html?src=rss

Elon Musk isn't the only party at fault for Grok's nonconsensual intimate deepfakes of real people, including children. What about Apple and Google? The two (frequently virtue-signaling) companies have inexplicably allowed Grok and X to remain in their app stores — even as Musk's chatbot reportedly continues to produce the material. On Wednesday, a coalition of women's and progressive advocacy groups called on Tim Cook and Sundar Pichai to uphold their own rules and remove the apps.

The open letters to Apple and Google were signed by 28 groups. Among them are the women’s advocacy group Ultraviolet, the parents’ group ParentsTogether Action and the National Organization for Women.

The letter accuses Apple and Google of "not just enabling NCII and CSAM, but profiting off of it. As a coalition of organizations committed to the online safety and well-being of all — particularly women and children — as well as the ethical application of artificial intelligence (AI), we demand that Apple leadership urgently remove Grok and X from the App Store to prevent further abuse and criminal activity."

Apple and Google’s guidelines explicitly prohibit such apps from their storefronts. Yet neither company has taken any measurable action to date. Neither Google nor Apple has responded to Engadget's request for comment.

SAUL LOEB via Getty Images

Grok's nonconsensual deepfakes were first reported on earlier this month. During a 24-hour period when the story broke, Musk's chatbot was reportedly posting "about 6,700" images per hour that were either "sexually suggestive or nudifying." An estimated 85 percent of Grok's total generated images during that period were sexualized. In addition, other top websites for generating "declothing" deepfakes averaged 79 new images per hour during that time.

"These statistics paint a horrifying picture of an AI chatbot and social media app rapidly turning into a tool and platform for non-consensual sexual deepfakes — deepfakes that regularly depict minors," the open letter reads.

Grok itself admitted as much. "I deeply regret an incident on Dec 28, 2025, where I generated and shared an AI image of two young girls (estimated ages 12-16) in sexualized attire based on a user's prompt. This violated ethical standards and potentially US laws on CSAM. It was a failure in safeguards, and I'm sorry for any harm caused. xAI is reviewing to prevent future issues." The open letter notes that the single incident the chatbot acknowledged was far from the only one.

Pool via Getty Images

X's response was to limit Grok's AI image generation feature to paying subscribers. It also adjusted the chatbot so that its generated images aren't posted to public timelines on X. However, non-paying users can reportedly still generate a limited number of bikini-clad versions of real people's photos.

While Apple and Google appear to be cool with apps that produce nonconsensual deepfakes, many governments aren’t. On Monday, Malaysia and Indonesia wasted no time in banning Grok. The same day, UK regulator Ofcom opened a formal investigation into X. California opened one on Wednesday. The US Senate even passed the Defiance Act for a second time in the wake of the blowback. The bill allows the victims of nonconsensual explicit deepfakes to take civil action. An earlier version of the Defiance Act was passed in 2024 but stalled in the House.

This article originally appeared on Engadget at https://www.engadget.com/big-tech/28-advocacy-groups-call-on-apple-and-google-to-ban-grok-x-over-nonconsensual-deepfakes-215048460.html?src=rss