CVE-2025-36911 (eg WhisperPair) Vulnerability Scanner & Research Tool

Features • Installation • Usage • How It Works • Vulnerability • Credits

This application is an independent implementation created by @ZalexDev in his own capacity. The original KU Leuven researchers discovered and disclosed the vulnerability but have not released any code and are not affiliated with this project. Their inclusion in credits is solely to acknowledge their research contribution.

WPair is a defensive security research tool that demonstrates the CVE-2025-36911 vulnerability in Google's Fast Pair protocol. This vulnerability affects millions of Bluetooth audio devices worldwide, allowing unauthorized pairing and potential microphone access without user consent.

Purpose: Help security researchers, device manufacturers, and end-users identify vulnerable devices that need firmware updates.

This tool deliberately does not include FMDN provisioning functionality. While the vulnerability chain technically allows enrolling compromised devices into Google's Find Hub Network for persistent location tracking, I've chosen not to implement this capability. Converting someone's headphones into a covert tracking beacon crosses a clear ethical line from security research into stalkerware territory. The Account Key write and audio access demonstrations are sufficient to prove the vulnerability's severity.

• Android 8.0 (API 26) or higher
• Bluetooth LE support
• Location permission (required for BLE scanning on Android) / Nearby Devices (A13+)

1. Go to Releases
2. Download the latest WPair-vX.X.X.apk
3. Enable "Install from unknown sources" if prompted
4. Install and grant required permissions

git clone https://github.com/zalexdev/whisper-pair-app.git
cd whisper-pair-app
./gradlew assembleDebug

Tap Scan to discover nearby Fast Pair devices. Devices in pairing mode will show a "Pairing" badge.

For devices not in pairing mode, tap Test to check if they're vulnerable. This is non-invasive and doesn't pair with the device.

For vulnerable devices, tap Magic to demonstrate the full exploit chain:

• Key-Based Pairing bypass
• BR/EDR address extraction
• Bluetooth Classic bonding
• Account Key persistence

After successful pairing:

1. Tap Connect Audio (HFP) to establish Hands-Free Profile
2. Use Live for real-time listening through phone speaker
3. Use Record to save audio as M4A file

sequenceDiagram
    participant App as WPair
    participant Target as Vulnerable Device
    participant BT as Android Bluetooth

    App->>Target: BLE Scan (0xFE2C service)
    Target-->>App: Fast Pair Advertisement

    Note over App: Vulnerability Test
    App->>Target: GATT Connect
    App->>Target: Read Model ID
    App->>Target: Write Key-Based Pairing (no signature)
    Target-->>App: Response (Vulnerable if accepted)

    Note over App: Exploitation
    App->>Target: Key-Based Pairing Request
    Target-->>App: Encrypted Response + BR/EDR Address
    App->>BT: createBond(BR/EDR Address)
    BT->>Target: Bluetooth Classic Pairing
    Target-->>BT: Pairing Complete

    Note over App: Audio Access
    App->>BT: Connect HFP Profile
    BT->>Target: HFP Connection
    App->>BT: Start SCO Audio
    Target-->>App: Microphone Stream

flowchart LR
    A[Scan] --> B{Fast Pair<br>Device?}
    B -->|Yes| C[Test Vulnerability]
    B -->|No| A
    C --> D{Vulnerable?}
    D -->|Yes| E[Exploit]
    D -->|No| F[Patched ✓]
    E --> G[Pair Device]
    G --> H[Connect HFP]
    H --> I[Access Microphone]

Severity: High CVSS Score: 8.1 Affected: Google Fast Pair Protocol implementations

The Fast Pair protocol uses Key-Based Pairing to authenticate pairing requests. The vulnerability exists because:

1. Missing Signature Verification: Many devices accept Key-Based Pairing requests without validating the cryptographic signature
2. No User Confirmation: The protocol doesn't require explicit user consent for pairing
3. Persistent Access: Attackers can write Account Keys for permanent device tracking

• Unauthorized Pairing: Attacker pairs with victim's headphones without consent
• Microphone Access: Full access to device microphone via HFP profile
• Location Tracking: Persistent tracking via Account Key advertising

Major affected manufacturers include:

• JBL
• Harman Kardon
• Sony (select models)
• Marshall
• And many more...

WhisperPair/
├── app/src/main/java/com/zalexdev/whisperpair/
│   ├── MainActivity.kt          # UI and navigation
│   ├── Scanner.kt                # BLE Fast Pair scanner
│   ├── FastPairDevice.kt         # Device data model
│   ├── VulnerabilityTester.kt    # Non-invasive vuln check
│   ├── FastPairExploit.kt        # PoC exploit implementation
│   └── BluetoothAudioManager.kt  # HFP audio handling
├── app/src/main/res/
│   └── ...                       # UI resources
└── README.md

@ZalexDev

KU Leuven, Belgium

* Primary authors

Funding for the original research: Flemish Government Cybersecurity Research Program (VOEWICS02)

• WhisperPair Research Paper
• Demo Video
• COSIC Research Group

• WIRED
• 9to5Google

This tool is provided for authorized security research and educational purposes only.

• Only test devices you own or have explicit written permission to test
• Unauthorized access to computer systems is illegal in most jurisdictions
• The developers are not responsible for misuse of this tool
• This tool is intended to help identify vulnerable devices for remediation

By using this software, you agree to use it responsibly and in compliance with all applicable laws.

If you find WhisperPair useful for your security research:

Crypto Donations:

TRC20 (USDT): TXVt15poW3yTBb7zSdaBRuyFsGCpFyg8CU

This project is licensed under the Apache License 2.0 - see the LICENSE file for details.

_{Built with ❤️ for the security research community}