WhisperPair Python CLI
January 27, 2026 · View on GitHub
Fast Pair CVE-2025-36911 Exploit Tool in Python to test our equipment
Author: Sébastien Dudek (@FlUxIuS) @ Penthertz
Credits: whisperpair.eu for the discovery and this nice APK from @ZalexDev that shorten the time of the implementation wpair-app
⚠️ Disclaimer
For authorized security research only. Test only on devices you own.
🐛 The Vulnerability
CVE-2025-36911 affects Google Fast Pair implementations on millions of Bluetooth audio devices.
Normal behavior: Devices should only accept pairing requests when in pairing mode (button held, case opened, etc.)
Vulnerable behavior: Devices accept Key-Based Pairing (KBP) requests anytime, even when idle or already paired.
Impact
- 🔊 Unauthorized pairing to victim's earbuds/headphones
- 🎤 Potential audio injection/eavesdropping
- 📍 Device tracking via account keys
⚡ Quick Start
# Install
pip install bleak cryptography
git clone https://github.com/Penthertz/CVE-2025-36911-exploit.git
cd CVE-2025-36911-exploit
# Scan for targets
python3 whisperpair-cli.py scan
# Test if vulnerable
python3 whisperpair-cli.py test AA:BB:CC:DD:EE:FF
# Exploit
python3 whisperpair-cli.py exploit --quick
🎯 Exploit Strategy
┌─────────────────────────────────────────────────────────────┐
│ ATTACKER VULNERABLE DEVICE │
│ │
│ 1. BLE Scan ─────────────────────► Fast Pair Advertisement │
│ (Find target) (Model ID visible) │
│ │
│ 2. Connect ──────────────────────► GATT Connection │
│ │
│ 3. KBP Request ──────────────────► Key-Based Pairing Char │
│ (Should be rejected ✗ NOT REJECTED! │
│ when not in pairing mode) (CVE-2025-36911) │
│ │
│ 4. Parse Response ◄────────────── BR/EDR Address │
│ │
│ 5. Write Account Key ────────────► Account Key Char │
│ (Persistent access) ✓ ACCEPTED │
│ │
│ 6. Classic BT Pair ──────────────► Audio Profiles (A2DP) │
│ (Game over) │
└─────────────────────────────────────────────────────────────┘
The tool tries multiple strategies automatically:
- ENCRYPTED_ECDH - Spec-compliant 80-byte encrypted request
- RAW_WITH_PUBKEY - Raw block + public key (some devices)
- RAW_KBP - Plain 16-byte request (broken implementations)
📋 Commands
| Command | Description |
|---|---|
scan | Live-updating BLE scan for Fast Pair devices |
scan -a | Scan all BLE devices |
info <addr> | Show GATT services/characteristics |
test <addr> | Non-invasive vulnerability check |
exploit <addr> | Full exploit chain |
exploit -q | Auto-scan + exploit first target |
🎧 Affected Devices
Tested vulnerable (check firmware updates):
| Brand | Models |
|---|---|
| Pixel Buds Pro 2 (but gets updates pretty fast with Pixel Phones) | |
| Sony | WH-1000XM4, WH-1000XM5/XM6, LinkBuds S, WH-CH520 |
| JBL | JBL TUNE BEAM |
| Anker | Soundcore Liberty 4 NC |
| Jabra | Elite 8 Active |
| + many more | whisperpair.eu |