WPair is an Android application designed to identify and demonstrate the CVE-2025-36911 vulnerability affecting millions of Bluetooth audio devices worldwide.
The tool addresses a critical authentication bypass flaw discovered by KU Leuven researchers in Google’s Fast Pair protocol, commonly referred to as WhisperPair.
CVE-2025-36911 represents a systemic failure in Fast Pair implementations across multiple manufacturers and chipsets. The vulnerability stems from improper enforcement of pairing mode verification.
According to the WhisperPair research, many devices fail to disregard pairing requests from unauthorized sources when not explicitly in pairing mode.
Allowing attackers to forcibly establish connections within seconds at ranges up to 14 meters. The attack requires no user interaction or physical device access, making it particularly dangerous for consumer audio equipment.
WPair Functionality
The application provides three core scanning and testing modes. The BLE Scanner discovers nearby Fast Pair devices by identifying devices that broadcast the 0xFE2C service UUID.
The Vulnerability Tester performs non-invasive checks to determine patch status without establishing connections.
For authorized security research, the Exploit feature demonstrates the complete attack chain, including key-based pairing bypass, BR/EDR address extraction, and Bluetooth Classic bonding.
| Feature | Description |
|---|---|
| BLE Scanner | Detects Fast Pair devices in real time |
| Vulnerability Tester | Checks CVE-2025-36911 patch status safely |
| Exploit Demo | Proof-of-concept for authorized testing |
| HFP Audio Access | Shows microphone access after exploit |
| Live Listening | Streams audio to phone instantly |
| Audio Recording | Saves captured audio for analysis |
| Device Status Detection | Flags devices in pairing mode |
| Key-Based Bypass | Demonstrates Fast Pair auth bypass |
| BR/EDR Extraction | Retrieves Bluetooth Classic addresses |
| Classic Bonding | Creates persistent audio connections |
| Account Key Persistence | Demonstrates long-term device tracking |
Post-exploitation capabilities include accessing the Hands-Free Profile for microphone functionality.
Users can enable live audio streaming directly to their phone speaker or save captured audio as M4A files for forensic analysis.
The vulnerability allows attackers to hijack devices without authorization, enabling them to control audio playback, record conversations, and potentially establish persistent tracking through Google’s Find Hub Network.
If a device has never connected to an Android device, attackers can add it to their own account for location tracking, exploiting the mechanism that designates the first Account Key writer as the device owner.
Affected manufacturers include JBL, Harman Kardon, Sony, Marshall, and numerous others, impacting an estimated hundreds of millions of users globally.
Technical Requirements and Installation Options
| Category | Details |
|---|---|
| Minimum Android Version | Android 8.0 (API 26) or higher |
| Bluetooth Support | Bluetooth Low Energy (BLE) required |
| Permissions | Location permissions (or Nearby Devices on Android 13+) |
| Installation – APK | Download pre-compiled APK from Releases |
| Installation – Source Build | Build from source using Gradle |
Google classified this issue as critical and awarded researchers the maximum $15,000 bounty. The 150-day disclosure window ended in January 2026, and manufacturers are now releasing patches.
WPair explicitly excludes Find Hub Network provisioning functionality to maintain ethical boundaries around stalkerware implementation.
WPair requires Android 8.0 or higher with Bluetooth LE support and appropriate location permissions. The application is available both as a precompiled APK and as a compiled source via Gradle.
According to the advisory, security researchers should verify they possess explicit written authorization before testing devices they do not own.
The tool represents a significant advancement in vulnerability assessment for the IoT audio ecosystem, enabling manufacturers and security teams to identify affected devices requiring immediate firmware updates.
