An open-source Android application designed to identify and test devices vulnerable to CVE-2025-36911, a critical authentication bypass flaw in Google’s Fast Pair Bluetooth protocol.
The vulnerability, commonly referred to as WhisperPair, affects millions of Bluetooth audio devices worldwide, enabling unauthorised pairing and potentially granting access to microphoneswithout user consent.
CVE-2025-36911 represents a significant cryptographic weakness in the Fast Pair Key-Based Pairing mechanism.
The vulnerability stems from missing signature verification on pairing requests and absent user confirmation requirements, allowing attackers to establish persistent Bluetooth connections to vulnerable devices.
The attack chain begins with BLE scanning for devices broadcasting the 0xFE2C Fast Pair service UUID, proceeds through key-based pairing bypass, and culminates in Bluetooth Classic bonding that provides permanent audio profile access.
Researchers from KU Leuven’s COSIC and DistriNet groups discovered the vulnerability through systematic protocol analysis.
The flaw allows attackers to write persistent Account Keys, enabling covert device tracking through Google’s Find Hub Network infrastructure.
Notably, the WPair implementation deliberately excludes FMDN provisioning functionality to prevent weaponization as stalkerware, demonstrating responsible disclosure principles.
WPair Scanner Capabilities
The tool provides security researchers with three operational modes: vulnerability scanning for unpatched devices, non-invasive testing that determines patch status without triggering pairing, and proof-of-concept exploitation for authorized security assessments.
Post-exploitation, the application enables Hands-Free Profile audio access, allowing real-time microphone listening and M4A format recording capabilities.
The BLE scanner discovers Fast Pair devices in pairing mode while detecting vulnerable implementations through cryptographic handshake analysis, as reported by ZalexDev.
Affected manufacturers include JBL, Harman Kardon, Sony (select models), and Marshall, with numerous additional vendors still deploying vulnerable implementations.
Core Scanner Features
| Feature | Description | Status | Use Case |
|---|---|---|---|
| BLE Scanner | Discovers Fast Pair devices broadcasting 0xFE2C service UUID | Active | Device inventory and reconnaissance |
| Vulnerability Tester | Non-invasive check to determine if device is patched against CVE-2025-36911 | Active | Risk assessment without triggering pairing |
| Exploit Demonstration | Full proof-of-concept exploitation for authorized security testing | Active | Authorized vulnerability validation |
| HFP Audio Access | Demonstrates microphone access via Hands-Free Profile post-exploitation | Active | Impact demonstration |
| Live Listening | Real-time audio streaming to phone speaker | Active | Proof-of-concept microphone access |
| Recording | Capture and save audio streams as M4A files | Active | Evidence collection and testing |
Installation requires Android 8.0 or higher with Bluetooth LE support; the application is available via GitHub releases or direct compilation from source code.
The vulnerability threatens millions of daily users relying on Fast Pair for seamless Bluetooth device pairing.
Attackers exploiting WhisperPair can establish persistent connections to victim headphones without explicit consent, accessing microphone streams for eavesdropping and establishing location tracking infrastructure through Account Key persistence.
Unlike traditional Bluetooth exploits requiring proximity during pairing, CVE-2025-36911 enables post-pairing compromise of already-configured devices.
Device manufacturers face urgent remediation requirements through firmware updates implementing cryptographic signature verification and explicit user confirmation mechanisms.
Users should monitor vendor security advisories and apply patches promptly, particularly for frequently-used audio devices.
The WPair toolkit represents a significant advance in defensive research capabilities, enabling systematic vulnerability identification across heterogeneous device ecosystems.
Responsible disclosure principles embedded within the codebase specifically excluding FMDN tracking functionality establish ethical boundaries for security research while maintaining sufficient technical depth for vulnerability remediation validation.
Follow us on Google News, LinkedIn, and X to Get Instant Updates ancd Set GBH as a Preferred Source in Google.