╔══════════╗
    ║ )))  ((( ║
    ║  ))  ((  ║
    ║   )  (   ║
    ║    )(    ║
    ║   [BT]   ║
    ╚══════════╝
        
┌─────────────────┐
│ SIGNAL DETECTED │
├─────────────────┤
│ FREQ: 2.4 GHz   │
│ RSSI: -42 dBm   │
│ STATUS: VULN    │
└─────────────────┘
Active Vulnerability • Millions Affected

WPair CVE-2025-36911

Defensive security research tool demonstrating the WhisperPair vulnerability in Google's Fast Pair protocol. Unauthorized pairing and microphone access without user consent.

download Download APK code View Source
wpair_scan.log
$ wpair --scan --verbose
[*] Scanning for Fast Pair devices (UUID: 0xFE2C)...
[+] Found: JBL Tune 760NC [-47 dBm]
[*] Testing vulnerability status...
[!] VULNERABLE - Key-Based Pairing bypass successful
[!] Device accepts unsigned pairing requests
8.1
CVSS Score
M+
Devices Affected
50+
Manufacturers
0
User Consent Required
// The Vulnerability

WhisperPair Attack Vector

A critical flaw in Fast Pair's Key-Based Pairing mechanism allows attackers to silently connect to Bluetooth audio devices.

warning

Missing Signature Verification

Devices accept Key-Based Pairing requests without validating the cryptographic signature, allowing forged pairing attempts.

person_off

No User Confirmation

The protocol doesn't require explicit user consent for pairing. Devices connect silently without any notification.

key

Persistent Access

Attackers can write Account Keys for permanent device tracking and repeated unauthorized access.

mic

Microphone Access

Full access to device microphone via HFP profile enables real-time audio capture and recording.

// Attack Chain

Exploitation Flow

1 BLE Scan
2 Fast Pair Detection
3 Vuln Test
4 Key-Based Bypass
5 BR/EDR Bond
6 HFP Connect
7 Audio Access
// Capabilities

Tool Features

sensors

BLE Scanner

Discovers Fast Pair devices broadcasting the 0xFE2C service UUID with real-time signal strength monitoring.

search

Vulnerability Tester

Non-invasive check to determine if device is patched against CVE-2025-36911 without completing pairing.

bolt

Exploit Demonstration

Full proof-of-concept for authorized security testing with complete attack chain execution.

headphones

HFP Audio Access

Demonstrates microphone access post-exploitation via Hands-Free Profile connection.

radio_button_checked

Live Listening

Real-time audio streaming directly to phone speaker for immediate verification.

save

Recording

Save captured audio as M4A files for documentation and evidence collection.

// Impact

Affected Manufacturers

Major audio device manufacturers with vulnerable Fast Pair implementations.

JBL
Harman Kardon
Sony
Marshall
Bose
Skullcandy
Anker
Jabra
Beats
Sennheiser
Audio-Technica
+ Many More
// Get Started

Download WPair

v1.1 • Latest Release

WPair-v1.1.apk

Android application for vulnerability scanning and security research

download Download from GitHub
Android 8.0+
Minimum OS
BLE Support
Required
Location
Permission
// Acknowledgments

Credits

App Developer

@ZalexDev
Independent implementation, design, and development. All code written from scratch.
github.com/zalexdev arrow_forward

Original Research

KU Leuven, Belgium
COSIC & DistriNet Groups — Vulnerability discovery and disclosure
whisperpair.eu arrow_forward

Researchers

Sayon Duttagupta, Seppe Wyns
Primary authors | Nikola Antonijevic, Bart Preneel, Dave Singelee
Watch Demo Video arrow_forward
info

This application is an independent implementation created by @ZalexDev. The original KU Leuven researchers discovered and disclosed the vulnerability but have not released any code and are not affiliated with this project. Their inclusion in credits is solely to acknowledge their research contribution. All development, design, and implementation work was done independently.