diff --git a/src/todo/radio-hacking/pentesting-ble-bluetooth-low-energy.md b/src/todo/radio-hacking/pentesting-ble-bluetooth-low-energy.md
index bcd1232dd3f..04cd266b99d 100644
--- a/src/todo/radio-hacking/pentesting-ble-bluetooth-low-energy.md
+++ b/src/todo/radio-hacking/pentesting-ble-bluetooth-low-energy.md
@@ -267,6 +267,16 @@ for off in range(0, len(img_bytes), CHUNK):
 - Prefer Sonoff+Sniffle on Linux for robust channel hopping and connection following. Keep a spare Nordic sniffer as a backup.
 - Without pairing/bonding, any nearby attacker can observe writes and replay/craft their own to unauthenticated writable characteristics.
 
+## Fast Pair implementation flaws (WhisperPair)
+
+### Unauthorized pairing via missing pairing-mode check
+- Providers should ignore Fast Pair initiation unless in **pairing mode**, but many reply even when idle.
+- Send the initiation to a non-pairing device, accept the improper reply, then finish the standard Bluetooth pairing/bonding flow to gain trusted control (including microphone access).
+
+### Find Hub tracking via first Account Key
+- The first **Account Key** written by Android during Fast Pair becomes the owner key; accessories never used with Android lack one.
+- If the accessory has never Fast-Paired with Android, write your key via Fast Pair, enroll it in **Find Hub**, and you will receive crowdsourced location reports. Alerts can be delayed and Fast Pair logic typically stays enabled on the accessory, so disabling prompts on the phone does not block this.
+
 ## References
 
 - [Start hacking Bluetooth Low Energy today! (part 2) – Pentest Partners](https://www.pentestpartners.com/security-blog/start-hacking-bluetooth-low-energy-today-part-2/)
@@ -280,5 +290,6 @@ for off in range(0, len(img_bytes), CHUNK):
 - [Shining Mask BLE protocol notes (BrickCraftDream)](https://github.com/BrickCraftDream/Shining-Mask-stuff/blob/main/ble-protocol.md)
 - [Android Bluetooth HCI snoop logging](https://source.android.com/docs/core/connect/bluetooth/verifying_debugging)
 - [Adafruit Feather nRF52840 Express](https://www.adafruit.com/product/4062)
+- [WhisperPair: Bluetooth hijacking and location tracking via broken Google Fast Pair implementations](https://whisperpair.eu/)
 
 {{#include ../../banners/hacktricks-training.md}}