Share
## https://sploitus.com/exploit?id=27C8E4F7-789B-5171-8B24-B21D4137905D
# WhisperPair Exploit Toolkit (CVE-2025-36911)
[](https://www.python.org/downloads/)
[](https://opensource.org/licenses/MIT)
[](https://nvd.nist.gov/vuln/detail/CVE-2025-36911)
A security research toolkit for demonstrating CVE-2025-36911 (WhisperPair), a critical vulnerability in Google Fast Pair affecting hundreds of millions of Bluetooth audio devices.
## π― Overview
WhisperPair allows attackers to forcibly pair with vulnerable Bluetooth earbuds and headphones **without user interaction**, potentially enabling:
- π€ **Eavesdropping** via device microphone
- π **Audio injection** into victim's earbuds
- π **Location tracking** via Google Find Hub
- π **Persistent access** via account key injection
**Affected Brands:** Sony, Google, JBL, Jabra, Anker, Nothing, OnePlus, Xiaomi, Marshall, and more.
## π Contents
| Component | Description |
|-----------|-------------|
| `fastpair_exploit.py` | Python scanner, tester, and exploit tool |
| `esp32_vulnerable_earbud/` | ESP32 firmware to emulate a vulnerable device |
| `DOCUMENTATION.md` | Full technical writeup and demo guide |
## π Quick Start
### Installation
```bash
# Clone the repository
git clone https://github.com/yourusername/whisperpair-toolkit.git
cd whisperpair-toolkit
# Install dependencies
pip install -r requirements.txt
```
### Usage
```bash
# List known vulnerable devices
python fastpair_exploit.py list
# Scan for Fast Pair devices
python fastpair_exploit.py scan
# Test a specific device
python fastpair_exploit.py test AA:BB:CC:DD:EE:FF
# Run full exploit chain
python fastpair_exploit.py exploit AA:BB:CC:DD:EE:FF
```
### Example Output
```
π‘ Scanning for Fast Pair devices (10.0s)...
β Sony WF-1000XM4
Address: AA:BB:CC:DD:EE:FF RSSI: -45 dBm
Mode: idle | β οΈ KNOWN VULNERABLE
Model ID: CD8256
ββββββββββββββββββββββββββββββββββββββββββββββββββ
π Found 1 device(s)
β οΈ 1 KNOWN VULNERABLE:
β’ Sony WF-1000XM4 (AA:BB:CC:DD:EE:FF)
```
## π¬ ESP32 Vulnerable Device Emulator
For safe demonstration without real vulnerable devices, flash an ESP32 to emulate vulnerable earbuds.
### Setup
1. Install [Arduino IDE](https://www.arduino.cc/en/software) with ESP32 support
2. Open `esp32_vulnerable_earbud/esp32_vulnerable_earbud.ino`
3. Select your ESP32 board (tested on ESP32-C6)
4. Upload and open Serial Monitor (115200 baud)
The ESP32 will advertise as a vulnerable Fast Pair device, accepting unauthorized pairing requests and logging the attack in real-time.
## π Documentation
See [DOCUMENTATION.md](DOCUMENTATION.md) for:
- Detailed vulnerability explanation
- Protocol analysis
- Classroom demo script
- Remediation guidance
## β οΈ Known Vulnerable Devices
| Manufacturer | Model | Status |
|--------------|-------|--------|
| Sony | WH-1000XM6/XM5/XM4 | Vulnerable (patch available) |
| Sony | WF-1000XM5/XM4 | Vulnerable (patch available) |
| Google | Pixel Buds Pro 2 | Vulnerable (patch available) |
| JBL | Tune Beam, Live Pro 2 | Vulnerable |
| Jabra | Elite 8 Active | Vulnerable |
| Anker | Soundcore Liberty 4 NC | Vulnerable |
| Nothing | Ear (a) | Vulnerable |
| OnePlus | Nord Buds 3 Pro | Vulnerable |
| Xiaomi | Redmi Buds 5 Pro | Vulnerable |
Full list: [whisperpair.eu/vulnerable-devices](https://whisperpair.eu/vulnerable-devices)
## π‘οΈ Remediation
**The only fix is a firmware update from your device manufacturer.**
| Brand | Update Method |
|-------|---------------|
| Sony | Sony Headphones Connect app |
| Google | Automatic via Pixel Buds app |
| JBL | JBL Headphones app |
| Jabra | Jabra Sound+ app |
| Anker | Soundcore app |
Updating your phone does **not** fix the vulnerabilityβthe flaw is in the earbuds themselves.
## π References
- [WhisperPair Official Site](https://whisperpair.eu/)
- [CVE-2025-36911 (NVD)](https://nvd.nist.gov/vuln/detail/CVE-2025-36911)
- [KU Leuven Research Paper](https://whisperpair.eu/)
- [Google Fast Pair Specification](https://developers.google.com/nearby/fast-pair/spec)
## π₯ Credits
**Original Research:**
- COSIC Group, KU Leuven (Sayon Duttagupta, Nikola AntonijeviΔ, Bart Preneel)
- DistriNet Group, KU Leuven (Seppe Wyns, Dave SingelΓ©e)
**This Toolkit:**
- Steven Perumean (Python port & ESP32 emulator)
## βοΈ Legal Disclaimer
This toolkit is provided for **educational and authorized security research purposes only**.
- β
Test devices you own
- β
Use in controlled lab environments
- β
Educational demonstrations
- β Unauthorized access to others' devices
- β Eavesdropping or surveillance
- β Any illegal activity
**Unauthorized interception of communications is a federal crime.**
The authors are not responsible for misuse of this software.
## π License
MIT License - See [LICENSE](LICENSE) for details.
---
Built for cybersecurity education at California Baptist University