Share
## https://sploitus.com/exploit?id=A48C1B27-BF2D-52E8-AEC3-B6C0D15C64A2
ZWhisper
CVE-2025-36911 (WhisperPair) Vulnerability Scanner & Research Tool
Features β’
Installation β’
Usage β’
How It Works β’
Vulnerability β’
Credits
---
## Disclaimer
This application was developed by **ziron** and is inspired by the original implementation by **[@ZalexDev](https://github.com/zalexdev)**, with modifications to support a wider range of devices. The original KU Leuven researchers discovered and disclosed the vulnerability but have not released any code and are not affiliated with this project. Their inclusion in credits is solely to acknowledge their research contribution.
## Overview
**ZWhisper** is a defensive security research tool that demonstrates the CVE-2025-36911 vulnerability in Google's Fast Pair protocol. This vulnerability affects millions of Bluetooth audio devices worldwide, allowing unauthorized pairing and potential microphone access without user consent.
> **Purpose:** Help security researchers, device manufacturers, and end-users identify vulnerable devices that need firmware updates.
## Features
| Feature | Description |
|---------|-------------|
| **BLE Scanner** | Discovers Fast Pair devices broadcasting the 0xFE2C service UUID |
| **Vulnerability Tester** | Non-invasive check if device is patched against CVE-2025-36911 |
| **Exploit Demonstration** | Full proof-of-concept for authorized security testing |
| **HFP Audio Access** | Demonstrates microphone access post-exploitation |
| **Live Listening** | Real-time audio streaming to phone speaker |
| **Recording** | Save captured audio as M4A files |
| **Enhanced Compatibility** | Improved support for various Android devices and manufacturers |
## Screenshots
## Note on Find Hub Network (FMDN) tracking
This tool deliberately does not include FMDN provisioning functionality. While the vulnerability chain technically allows enrolling compromised devices into Google's Find Hub Network for persistent location tracking, we've chosen not to implement this capability. Converting someone's headphones into a covert tracking beacon crosses a clear ethical line from security research into stalkerware territory. The Account Key write and audio access demonstrations are sufficient to prove the vulnerability's severity.
## Installation
### Requirements
- Android 8.0 (API 26) or higher
- Bluetooth LE support
- Location permission (required for BLE scanning on Android) / Nearby Devices (A13+)
### Download
1. Go to [Releases](https://github.com/zwhisper-android/releases)
2. Download the latest `ZWhisper-vX.X.X.apk`
3. Enable "Install from unknown sources" if prompted
4. Install and grant required permissions
### Build from Source
```bash
git clone https://github.com/zwhisper-android.git
cd zwhisper-android
./gradlew assembleDebug
```
## Usage
### 1. Scan for Devices
Tap **Scan** to discover nearby Fast Pair devices. Devices in pairing mode will show a "Pairing" badge.
### 2. Test Vulnerability
For devices **not** in pairing mode, tap **Test** to check if they're vulnerable. This is non-invasive and doesn't pair with the device.
| Status | Meaning |
|--------|---------|
| `VULNERABLE` | Device is affected by CVE-2025-36911 |
| `Patched` | Device has been updated with security fix |
| `Error` | Test inconclusive (device may be already paired) |
### 3. Exploit (Authorized Testing Only)
For vulnerable devices, tap **Magic** to demonstrate the full exploit chain:
- Key-Based Pairing bypass
- BR/EDR address extraction
- Bluetooth Classic bonding
- Account Key persistence
### 4. Audio Access
After successful pairing:
1. Tap **Connect Audio (HFP)** to establish Hands-Free Profile
2. Use **Live** for real-time listening through phone speaker
3. Use **Record** to save audio as M4A file
## How It Works
```mermaid
sequenceDiagram
participant App as ZWhisper
participant Target as Vulnerable Device
participant BT as Android Bluetooth
App->>Target: BLE Scan (0xFE2C service)
Target-->>App: Fast Pair Advertisement
Note over App: Vulnerability Test
App->>Target: GATT Connect
App->>Target: Read Model ID
App->>Target: Write Key-Based Pairing (no signature)
Target-->>App: Response (Vulnerable if accepted)
Note over App: Exploitation
App->>Target: Key-Based Pairing Request
Target-->>App: Encrypted Response + BR/EDR Address
App->>BT: createBond(BR/EDR Address)
BT->>Target: Bluetooth Classic Pairing
Target-->>BT: Pairing Complete
Note over App: Audio Access
App->>BT: Connect HFP Profile
BT->>Target: HFP Connection
App->>BT: Start SCO Audio
Target-->>App: Microphone Stream
```
### Attack Flow
```mermaid
flowchart LR
A[Scan] --> B{Fast PairDevice?}
B -->|Yes| C[Test Vulnerability]
B -->|No| A
C --> D{Vulnerable?}
D -->|Yes| E[Exploit]
D -->|No| F[Patched β]
E --> G[Pair Device]
G --> H[Connect HFP]
H --> I[Access Microphone]
```
## Vulnerability
### CVE-2025-36911: Fast Pair Key-Based Pairing Authentication Bypass (also known as WhisperPair)
**Severity:** High
**CVSS Score:** 8.1
**Affected:** Google Fast Pair Protocol implementations
#### Technical Details
The Fast Pair protocol uses Key-Based Pairing to authenticate pairing requests. The vulnerability exists because:
1. **Missing Signature Verification:** Many devices accept Key-Based Pairing requests without validating the cryptographic signature
2. **No User Confirmation:** The protocol doesn't require explicit user consent for pairing
3. **Persistent Access:** Attackers can write Account Keys for permanent device tracking
#### Impact
- **Unauthorized Pairing:** Attacker pairs with victim's headphones without consent
- **Microphone Access:** Full access to device microphone via HFP profile
- **Location Tracking:** Persistent tracking via Account Key advertising
#### Affected Devices
Major affected manufacturers include:
- JBL
- Harman Kardon
- Sony (select models)
- Marshall
- And many more...
## Project Structure
```
ZWhisper/
βββ app/src/main/java/com/ziron/zwhisper/
β βββ MainActivity.kt # UI and navigation
β βββ Scanner.kt # BLE Fast Pair scanner
β βββ FastPairDevice.kt # Device data model
β βββ VulnerabilityTester.kt # Non-invasive vuln check
β βββ FastPairExploit.kt # PoC exploit implementation
β βββ BluetoothAudioManager.kt # HFP audio handling
βββ app/src/main/res/
β βββ ... # UI resources
βββ README.md
```
## Credits
### App Developer
**ziron** - Enhanced implementation with improved device compatibility
### Original Implementation
**[@ZalexDev](https://github.com/zalexdev)** - Original WPair implementation that inspired this project
### Original Research Team
**KU Leuven, Belgium**
| Researcher | Affiliation |
|------------|-------------|
| [Sayon Duttagupta](https://www.esat.kuleuven.be/cosic/people/person/?u=u0129899)* | COSIC Group |
| [Nikola AntonijeviΔ](https://www.esat.kuleuven.be/cosic/people/person/?u=u0148369) | COSIC Group |
| [Bart Preneel](https://homes.esat.kuleuven.be/~preneel/) | COSIC Group |
| [Seppe Wyns](https://seppe.io)* | DistriNet Group |
| [Dave SingelΓ©e](https://sites.google.com/site/davesingelee) | DistriNet Group |
*\* Primary authors*
**Funding for the original research:** Flemish Government Cybersecurity Research Program (VOEWICS02)
### Resources
- [WhisperPair Research Paper](https://whisperpair.eu)
- [Demo Video](https://www.youtube.com/watch?v=-j45ShJINtc)
- [COSIC Research Group](https://www.esat.kuleuven.be/cosic)
### Media Coverage
- [WIRED](https://www.wired.com/story/google-fast-pair-bluetooth-audio-accessories-vulnerability-patches/)
- [9to5Google](https://9to5google.com/2026/01/15/google-fast-pair-devices-exploit-whisperpair/)
## Legal Disclaimer
> **This tool is provided for authorized security research and educational purposes only.**
- Only test devices you **own** or have **explicit written permission** to test
- Unauthorized access to computer systems is illegal in most jurisdictions
- The developers are not responsible for misuse of this tool
- This tool is intended to help identify vulnerable devices for remediation
**By using this software, you agree to use it responsibly and in compliance with all applicable laws.**
## See Also
| Tool | Description |
|------|-------------|
| [**WPair**](https://github.com/zalexdev/whisper-pair-app) | Original implementation by ZalexDev |
| [**Stryker**](https://github.com/Stryker-Defense-Inc/strykerapp) | Comprehensive mobile pentesting toolkit for Android |
## Support Development
If you find ZWhisper useful for your security research:
## License
This project is licensed under the Apache License 2.0 - see the [LICENSE](LICENSE) file for details.
---
Built with β€οΈ for the security research community