Share
## https://sploitus.com/exploit?id=C004CA42-915F-561F-80E1-FA472ABA3E17
WPair


  CVE-2025-36911 (eg WhisperPair) Vulnerability Scanner & Research Tool



  
  
  
  



  Features β€’
  Installation β€’
  Usage β€’
  How It Works β€’
  Vulnerability β€’
  Credits


---
## Disclaimer
This application is an independent implementation created by **[@ZalexDev](https://github.com/zalexdev)** in his own capacity. The original KU Leuven researchers discovered and disclosed the vulnerability but have not released any code and are not affiliated with this project. Their inclusion in credits is solely to acknowledge their research contribution.

## Overview

**WPair** is a defensive security research tool that demonstrates the CVE-2025-36911 vulnerability in Google's Fast Pair protocol. This vulnerability affects millions of Bluetooth audio devices worldwide, allowing unauthorized pairing and potential microphone access without user consent.

> **Purpose:** Help security researchers, device manufacturers, and end-users identify vulnerable devices that need firmware updates.

## Features

| Feature | Description |
|---------|-------------|
| **BLE Scanner** | Discovers Fast Pair devices broadcasting the 0xFE2C service UUID |
| **Vulnerability Tester** | Non-invasive check if device is patched against CVE-2025-36911 |
| **Exploit Demonstration** | Full proof-of-concept for authorized security testing |
| **HFP Audio Access** | Demonstrates microphone access post-exploitation |
| **Live Listening** | Real-time audio streaming to phone speaker |
| **Recording** | Save captured audio as M4A files |

## Screenshots


  
  
  


## Installation

### Requirements
- Android 8.0 (API 26) or higher
- Bluetooth LE support
- Location permission (required for BLE scanning on Android)

### Download
1. Go to [Releases](https://github.com/zalexdev/whisper-pair-app/releases)
2. Download the latest `WPair-vX.X.X.apk`
3. Enable "Install from unknown sources" if prompted
4. Install and grant required permissions

### Build from Source
```bash
git clone https://github.com/zalexdev/whisper-pair-app.git
cd whisper-pair-app
./gradlew assembleDebug
```

## Usage

### 1. Scan for Devices
Tap **Scan** to discover nearby Fast Pair devices. Devices in pairing mode will show a "Pairing" badge.

### 2. Test Vulnerability
For devices **not** in pairing mode, tap **Test** to check if they're vulnerable. This is non-invasive and doesn't pair with the device.

| Status | Meaning |
|--------|---------|
| `VULNERABLE` | Device is affected by CVE-2025-36911 |
| `Patched` | Device has been updated with security fix |
| `Error` | Test inconclusive (device may be already paired) |

### 3. Exploit (Authorized Testing Only)
For vulnerable devices, tap **Magic** to demonstrate the full exploit chain:
- Key-Based Pairing bypass
- BR/EDR address extraction
- Bluetooth Classic bonding
- Account Key persistence

### 4. Audio Access
After successful pairing:
1. Tap **Connect Audio (HFP)** to establish Hands-Free Profile
2. Use **Live** for real-time listening through phone speaker
3. Use **Record** to save audio as M4A file

## How It Works

```mermaid
sequenceDiagram
    participant App as WPair
    participant Target as Vulnerable Device
    participant BT as Android Bluetooth

    App->>Target: BLE Scan (0xFE2C service)
    Target-->>App: Fast Pair Advertisement

    Note over App: Vulnerability Test
    App->>Target: GATT Connect
    App->>Target: Read Model ID
    App->>Target: Write Key-Based Pairing (no signature)
    Target-->>App: Response (Vulnerable if accepted)

    Note over App: Exploitation
    App->>Target: Key-Based Pairing Request
    Target-->>App: Encrypted Response + BR/EDR Address
    App->>BT: createBond(BR/EDR Address)
    BT->>Target: Bluetooth Classic Pairing
    Target-->>BT: Pairing Complete

    Note over App: Audio Access
    App->>BT: Connect HFP Profile
    BT->>Target: HFP Connection
    App->>BT: Start SCO Audio
    Target-->>App: Microphone Stream
```

### Attack Flow

```mermaid
flowchart LR
    A[Scan] --> B{Fast PairDevice?}
    B -->|Yes| C[Test Vulnerability]
    B -->|No| A
    C --> D{Vulnerable?}
    D -->|Yes| E[Exploit]
    D -->|No| F[Patched βœ“]
    E --> G[Pair Device]
    G --> H[Connect HFP]
    H --> I[Access Microphone]
```

## Vulnerability

### CVE-2025-36911: Fast Pair Key-Based Pairing Authentication Bypass (also known as WhisperPair)

**Severity:** High
**CVSS Score:** 8.1
**Affected:** Google Fast Pair Protocol implementations

#### Technical Details

The Fast Pair protocol uses Key-Based Pairing to authenticate pairing requests. The vulnerability exists because:

1. **Missing Signature Verification:** Many devices accept Key-Based Pairing requests without validating the cryptographic signature
2. **No User Confirmation:** The protocol doesn't require explicit user consent for pairing
3. **Persistent Access:** Attackers can write Account Keys for permanent device tracking

#### Impact

- **Unauthorized Pairing:** Attacker pairs with victim's headphones without consent
- **Microphone Access:** Full access to device microphone via HFP profile
- **Location Tracking:** Persistent tracking via Account Key advertising

#### Affected Devices

Major affected manufacturers include:
- JBL
- Harman Kardon
- Sony (select models)
- Marshall
- And many more...

## Project Structure

```
WhisperPair/
β”œβ”€β”€ app/src/main/java/com/zalexdev/whisperpair/
β”‚   β”œβ”€β”€ MainActivity.kt          # UI and navigation
β”‚   β”œβ”€β”€ Scanner.kt                # BLE Fast Pair scanner
β”‚   β”œβ”€β”€ FastPairDevice.kt         # Device data model
β”‚   β”œβ”€β”€ VulnerabilityTester.kt    # Non-invasive vuln check
β”‚   β”œβ”€β”€ FastPairExploit.kt        # PoC exploit implementation
β”‚   └── BluetoothAudioManager.kt  # HFP audio handling
β”œβ”€β”€ app/src/main/res/
β”‚   └── ...                       # UI resources
└── README.md
```

## Credits

### App Developer

**[@ZalexDev](https://github.com/zalexdev)**

### Original Research Team
**KU Leuven, Belgium**

| Researcher | Affiliation |
|------------|-------------|
| [Sayon Duttagupta](https://www.esat.kuleuven.be/cosic/people/person/?u=u0129899)* | COSIC Group |
| [Nikola Antonijević](https://www.esat.kuleuven.be/cosic/people/person/?u=u0148369) | COSIC Group |
| [Bart Preneel](https://homes.esat.kuleuven.be/~preneel/) | COSIC Group |
| [Seppe Wyns](https://seppe.io)* | DistriNet Group |
| [Dave SingelΓ©e](https://sites.google.com/site/davesingelee) | DistriNet Group |

*\* Primary authors*

**Funding for the original research:** Flemish Government Cybersecurity Research Program (VOEWICS02)

### Resources
- [WhisperPair Research Paper](https://whisperpair.eu)
- [Demo Video](https://www.youtube.com/watch?v=-j45ShJINtc)
- [COSIC Research Group](https://www.esat.kuleuven.be/cosic)

### Media Coverage
- [WIRED](https://www.wired.com/story/google-fast-pair-bluetooth-audio-accessories-vulnerability-patches/)
- [9to5Google](https://9to5google.com/2026/01/15/google-fast-pair-devices-exploit-whisperpair/)

## Legal Disclaimer

> **This tool is provided for authorized security research and educational purposes only.**

- Only test devices you **own** or have **explicit written permission** to test
- Unauthorized access to computer systems is illegal in most jurisdictions
- The developers are not responsible for misuse of this tool
- This tool is intended to help identify vulnerable devices for remediation

**By using this software, you agree to use it responsibly and in compliance with all applicable laws.**

## See Also

| Tool | Description |
|------|-------------|
| [**Stryker**](https://github.com/Stryker-Defense-Inc/strykerapp) | Comprehensive mobile pentesting toolkit for Android |

## Support Development

If you find WhisperPair useful for your security research:


  


**Crypto Donations:**
```
TRC20 (USDT): TXVt15poW3yTBb7zSdaBRuyFsGCpFyg8CU
```

## License

This project is licensed under the Apache License 2.0 - see the [LICENSE](LICENSE) file for details.

---


  Built with ❀️ for the security research community