Share
## https://sploitus.com/exploit?id=8EC35C55-BE08-5600-94BE-CAB99DE25ED0
# WhisperPair Python CLI


**Fast Pair CVE-2025-36911 Exploit Tool in Python**


  
  
  


> **Author:** SΓ©bastien Dudek ([@FlUxIuS](https://twitter.com/FlUxIuS)) @ [Penthertz](https://penthertz.com)  
> **Credits:** whisperpair.com for the discovery and this nice APK that shorten the time of the implementation [wpair-app](https://github.com/zalexdev/wpair-app)

---

## ⚠️ Disclaimer

**For authorized security research only.** Test only on devices you own.

---

## πŸ› The Vulnerability

**CVE-2025-36911** affects Google Fast Pair implementations on millions of Bluetooth audio devices.

**Normal behavior:** Devices should only accept pairing requests when in *pairing mode* (button held, case opened, etc.)

**Vulnerable behavior:** Devices accept Key-Based Pairing (KBP) requests *anytime*, even when idle or already paired.

### Impact
- πŸ”Š Unauthorized pairing to victim's earbuds/headphones
- 🎀 Potential audio injection/eavesdropping
- πŸ“ Device tracking via account keys

---

## ⚑ Quick Start

```bash
# Install
pip install bleak cryptography
git clone https://github.com/Penthertz/CVE-2025-36911-exploit.git
cd CVE-2025-36911-exploit

# Scan for targets
python3 whisperpair-cli.py scan

# Test if vulnerable
python3 whisperpair-cli.py test AA:BB:CC:DD:EE:FF

# Exploit
python3 whisperpair-cli.py exploit --quick
```

---

## 🎯 Exploit Strategy

```
β”Œβ”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”
β”‚  ATTACKER                           VULNERABLE DEVICE       β”‚
β”‚                                                             β”‚
β”‚  1. BLE Scan ─────────────────────► Fast Pair Advertisement β”‚
β”‚     (Find target)                   (Model ID visible)      β”‚
β”‚                                                             β”‚
β”‚  2. Connect ──────────────────────► GATT Connection         β”‚
β”‚                                                             β”‚
β”‚  3. KBP Request ──────────────────► Key-Based Pairing Char  β”‚
β”‚     (Should be rejected             βœ— NOT REJECTED!         β”‚
β”‚      when not in pairing mode)      (CVE-2025-36911)        β”‚
β”‚                                                             β”‚
β”‚  4. Parse Response ◄────────────── BR/EDR Address           β”‚
β”‚                                                             β”‚
β”‚  5. Write Account Key ────────────► Account Key Char        β”‚
β”‚     (Persistent access)             βœ“ ACCEPTED              β”‚
β”‚                                                             β”‚
β”‚  6. Classic BT Pair ──────────────► Audio Profiles (A2DP)   β”‚
β”‚     (Game over)                                             β”‚
β””β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”˜
```

The tool tries multiple strategies automatically:
1. **ENCRYPTED_ECDH** - Spec-compliant 80-byte encrypted request
2. **RAW_WITH_PUBKEY** - Raw block + public key (some devices)
3. **RAW_KBP** - Plain 16-byte request (broken implementations)

---

## πŸ“‹ Commands

| Command | Description |
|---------|-------------|
| `scan` | Live-updating BLE scan for Fast Pair devices |
| `scan -a` | Scan all BLE devices |
| `info ` | Show GATT services/characteristics |
| `test ` | Non-invasive vulnerability check |
| `exploit ` | Full exploit chain |
| `exploit -q` | Auto-scan + exploit first target |

---

## 🎧 Affected Devices

Tested vulnerable (check firmware updates):

| Brand | Models |
|-------|--------|
| **Google** | Pixel Buds, Pixel Buds Pro 2 |
| **Sony** | WF-1000XM4, WH-1000XM5/XM6, LinkBuds S |
| **JBL** | Tune Buds, Live Pro 2, Tune 760NC |
| **Anker** | Soundcore Liberty 4/4 NC |
| **Nothing** | Ear (a) |
| **Bose** | QuietComfort Earbuds II |
| **Jabra** | Elite 8 Active |
| + many more | |

See more on [whisperpair.com](whisperpair.com)