WhisperPair Python CLI

January 27, 2026 · View on GitHub

Fast Pair CVE-2025-36911 Exploit Tool in Python to test our equipment

CVE Python

Author: Sébastien Dudek (@FlUxIuS) @ Penthertz
Credits: whisperpair.eu for the discovery and this nice APK from @ZalexDev that shorten the time of the implementation wpair-app


⚠️ Disclaimer

For authorized security research only. Test only on devices you own.


🐛 The Vulnerability

CVE-2025-36911 affects Google Fast Pair implementations on millions of Bluetooth audio devices.

Normal behavior: Devices should only accept pairing requests when in pairing mode (button held, case opened, etc.)

Vulnerable behavior: Devices accept Key-Based Pairing (KBP) requests anytime, even when idle or already paired.

Impact

  • 🔊 Unauthorized pairing to victim's earbuds/headphones
  • 🎤 Potential audio injection/eavesdropping
  • 📍 Device tracking via account keys

⚡ Quick Start

# Install
pip install bleak cryptography
git clone https://github.com/Penthertz/CVE-2025-36911-exploit.git
cd CVE-2025-36911-exploit

# Scan for targets
python3 whisperpair-cli.py scan

# Test if vulnerable
python3 whisperpair-cli.py test AA:BB:CC:DD:EE:FF

# Exploit
python3 whisperpair-cli.py exploit --quick

🎯 Exploit Strategy

┌─────────────────────────────────────────────────────────────┐
│  ATTACKER                           VULNERABLE DEVICE       │
│                                                             │
│  1. BLE Scan ─────────────────────► Fast Pair Advertisement │
│     (Find target)                   (Model ID visible)      │
│                                                             │
│  2. Connect ──────────────────────► GATT Connection         │
│                                                             │
│  3. KBP Request ──────────────────► Key-Based Pairing Char  │
│     (Should be rejected             ✗ NOT REJECTED!         │
│      when not in pairing mode)      (CVE-2025-36911)        │
│                                                             │
│  4. Parse Response ◄────────────── BR/EDR Address           │
│                                                             │
│  5. Write Account Key ────────────► Account Key Char        │
│     (Persistent access)             ✓ ACCEPTED              │
│                                                             │
│  6. Classic BT Pair ──────────────► Audio Profiles (A2DP)   │
│     (Game over)                                             │
└─────────────────────────────────────────────────────────────┘

The tool tries multiple strategies automatically:

  1. ENCRYPTED_ECDH - Spec-compliant 80-byte encrypted request
  2. RAW_WITH_PUBKEY - Raw block + public key (some devices)
  3. RAW_KBP - Plain 16-byte request (broken implementations)

Some more infos here


📋 Commands

CommandDescription
scanLive-updating BLE scan for Fast Pair devices
scan -aScan all BLE devices
info <addr>Show GATT services/characteristics
test <addr>Non-invasive vulnerability check
exploit <addr>Full exploit chain
exploit -qAuto-scan + exploit first target

🎧 Affected Devices

Tested vulnerable (check firmware updates):

BrandModels
GooglePixel Buds Pro 2 (but gets updates pretty fast with Pixel Phones)
SonyWH-1000XM4, WH-1000XM5/XM6, LinkBuds S, WH-CH520
JBLJBL TUNE BEAM
AnkerSoundcore Liberty 4 NC
JabraElite 8 Active
+ many morewhisperpair.eu