Share
## https://sploitus.com/exploit?id=DF0F48C9-25A2-5E40-A6E3-B194ECEFB40B
ZWhisper for Linux


  CVE-2025-36911 (WhisperPair) Vulnerability Scanner & Research Tool



  
  


---

### By Ziron

## Check also


  Android Version
  
  Windows Version


---

## SECURITY DISCLAIMER

**THIS SOFTWARE IS FOR AUTHORIZED SECURITY RESEARCH AND ETHICAL TESTING ONLY**

Unauthorized access to Bluetooth devices is illegal in most jurisdictions. This tool should only be used on devices you own or have explicit written permission to test. The authors assume no liability for misuse or damage caused by this software.

---

## OVERVIEW

ZWhisper is a security assessment framework targeting CVE-2025-36911 in Google's Fast Pair implementation. The tool provides:

- Fast Pair device detection and vulnerability scanning
- Automated exploitation with account key injection
- Audio capture capabilities from compromised devices
- Audio routing and profile management
- Comprehensive logging and reporting

---

## INSTALLATION

### Prerequisites

- Kali Linux or Debian-based distribution
- Root/sudo privileges
- Bluetooth adapter (internal or USB)

### Installation Steps

```bash
# Clone repository
git clone https://github.com/ekomsSavior/whisper.git
cd whisper

# Install system dependencies
sudo apt-get update
sudo apt-get install -y bluetooth bluez libbluetooth-dev python3-pip

# Install Python dependencies
pip3 install -r requirements.txt --break-system-packages

# Configure Bluetooth stack
sudo systemctl enable bluetooth
sudo systemctl start bluetooth
sudo hciconfig hci0 piscan
```

---

## USAGE

### Starting ZWhisper

```bash
sudo python3 zwhisper.py
```

### Main Menu Options

```
1.  Scan for Fast Pair Devices
2.  Target Specific Device by Address
3.  View Discovered Devices
4.  Exploit Specific Device
5.  Exploit All Discovered Devices
6.  Exploit + Auto-Connect (Persistent)
7.  Connect to Exploited Device
8.  Setup Audio Output
9.  Setup Audio Input (Microphone)
10. Record from Microphone
11. Clear Device List
0.  Exit
```

### Basic Exploitation Workflow

```bash
# Launch the tool
sudo python3 zwhisper.py

# Accept the disclaimer
Type: ACCEPT

# Scan for vulnerable devices
Select option: 1
Wait for scan to complete (10 seconds)

# Exploit a target device
Select option: 4
Choose device number from list
Wait for "Exploit successful!" message

# Complete Bluetooth pairing (ONLY IF AUDIO IS NOT CONNECTED AFTER EXPLOIT)
When prompted, select: y

# In bluetoothctl terminal:
scan on
pair 
trust 
connect 
quit

# The device is now permanently paired
```

### Audio Capture Workflow

After successful exploitation and pairing:

```bash
# Configure audio output (optional)
Select option: 8
Choose target device

# Configure audio input
Select option: 9
Choose target device

# Record from device microphone
Select option: 10
Choose target device
Enter recording duration (default: 30 seconds)

# Audio file saved as: zwhisper_audio__.wav
```

### Reconnecting to Previously Exploited Devices

```bash
Select option: 7
Enter MAC address of previously exploited device
Device reconnects automatically without re-exploitation
```

---

## TROUBLESHOOTING

### Audio Configuration Issues

**For PipeWire systems (default on modern distributions):**

```bash
# Restart audio services
systemctl --user restart wireplumber
systemctl --user restart pipewire-pulse

# Check available devices
wpctl status

# Set Bluetooth device as default sink
wpctl set-default 
```

**For PulseAudio systems:**

```bash
# Restart PulseAudio daemon
pulseaudio --kill
pulseaudio --start

# List available sinks
pactl list sinks short

# Set default sink
pactl set-default-sink 
```

### Bluetooth Connection Problems

```bash
# Reset Bluetooth adapter
sudo systemctl restart bluetooth
sudo hciconfig hci0 down
sudo hciconfig hci0 up
sudo hciconfig hci0 piscan

# Verify Bluetooth status
hciconfig -a
bluetoothctl list
```

### Device Discovery Failures

- Ensure target device is powered on and in range
- Verify device is in discoverable/pairing mode
- Increase scan duration for difficult-to-detect devices
- Check for RF interference from other wireless devices

---

## OUTPUT FILES

ZWhisper organizes all results in the following structure:

```
zwhisper_results/
โ”œโ”€โ”€ scans/          # JSON files containing scan results
โ”œโ”€โ”€ analysis/       # JSON files with exploitation logs
โ””โ”€โ”€ audio/          # WAV audio recordings
```

All files are timestamped for easy correlation and analysis.

---

## VULNERABILITY ASSESSMENT

ZWhisper calculates a risk score based on multiple factors:

**Risk Levels:**
- CRITICAL (60+): Multiple severe vulnerabilities present
- HIGH (40-59): Significant security weaknesses detected
- MEDIUM (20-39): Moderate vulnerability exposure
- LOW ( -50): +10 points

---

## TECHNICAL DETAILS

### Exploitation Process

1. BLE Discovery: Scan for Fast Pair service (UUID: 0xFE2C)
2. GATT Enumeration: Map available Fast Pair characteristics
3. Pairing Request: Transmit crafted key-based pairing message
4. Account Key Injection: Write persistent trust credential
5. Fallback Handling: Attempt alternative characteristics if primary fails
6. Bluetooth Classic Pairing: Complete audio profile registration

### Tested Devices

- Xiaomi Redmi Buds 5 Pro
- Xiaomi Redmi Buds 4 Pro
- Various Google Fast Pair certified devices

Note: Many Fast Pair devices may be vulnerable. Test responsibly.

### Audio System Compatibility

ZWhisper automatically detects the system audio backend:

- PipeWire (modern Linux distributions)
- PulseAudio (traditional Linux setups)

---

## ETHICAL GUIDELINES

### Authorized Use Cases

- Testing personally owned devices
- Approved security research with documented permission
- Corporate penetration testing with signed authorization
- Academic research in controlled laboratory environments

### Prohibited Activities

- Unauthorized device access or exploitation
- Surveillance or eavesdropping without consent
- Privacy violations of any kind
- Commercial use without proper licensing
- Any activity violating local, state, or federal laws

### Responsible Disclosure Process

If you discover new vulnerabilities using this tool:

1. Document all technical details and proof of concept
2. Avoid public disclosure until vendor notification
3. Contact the affected vendor's security team directly
4. Allow reasonable time for patch development (typically 90 days)
5. Coordinate disclosure timeline with the vendor

---

### Manual Bluetooth Commands

```bash
# Launch Bluetooth control interface
bluetoothctl

# Common commands:
power on              # Enable Bluetooth adapter
scan on               # Start device discovery
devices               # List discovered devices
pair             # Pair with device
trust            # Mark device as trusted
connect          # Connect to device
info             # Display device information
disconnect       # Disconnect from device
quit                  # Exit bluetoothctl
```

---

## KNOWN LIMITATIONS

1. **Device Classification**: After BLE exploitation, devices may appear as "Other Device" rather than "Headphones". This is expected behavior. Complete the bluetoothctl pairing sequence to enable audio profiles.

2. **Audio Profile Activation**: Audio functionality requires manual pairing via bluetoothctl after exploitation. Automated audio profile setup is not possible due to Bluetooth stack limitations.

3. **Connection Persistence**: Some devices implement idle timeouts and may disconnect automatically. Use option 7 to reconnect to previously exploited devices.

---

## CVE-2025-36911 INFORMATION

**Vulnerability Type**: Authentication Bypass in Fast Pair Protocol

**Impact**: Allows unauthorized pairing with Fast Pair enabled devices without user interaction or notification

**Affected Products**: Devices implementing Google Fast Pair without proper authentication mechanisms

**CVSS Score**: Pending CVE analysis

**Vendor Status**: Vulnerability disclosed to Google for remediation

---

## CREDITS

This tool was developed for security research and educational purposes. Original vulnerability research and disclosure credit goes to the information security community.

---

## LICENSE

This software is provided under the Apache License 2.0 for authorized security testing and educational use only. Users are solely responsible for ensuring compliance with all applicable laws and regulations in their jurisdiction.

---

## LINKS

- GitHub Repository: https://github.com/ekomsSavior/whisper
- CVE Information: https://vulners.com/cve/CVE-2025-36911
- Fast Pair Documentation: https://developers.google.com/nearby/fast-pair

---

**Use responsibly. Respect privacy. Follow the law.**