WPair is a defensive security research tool that demonstrates CVE-2025-36911 vulnerability in Google's Fast Pair protocol.
This tool is provided for:
- Security research and education
- Testing devices you OWN
- Authorized penetration testing with written permission
Unauthorized access to computer systems is ILLEGAL.
Violators will be prosecuted under applicable laws including:
- Computer Fraud and Abuse Act (USA)
- Computer Misuse Act (UK)
- Similar legislation in your jurisdiction
By using this tool, you agree to use it responsibly and legally.
CVE-2025-36911 (also known as "WhisperPair") is a vulnerability in Google's Fast Pair protocol that affects millions of Bluetooth audio devices worldwide.
Impact:
- Unauthorized Bluetooth pairing without user consent
- Microphone access via Hands-Free Profile (HFP)
- Persistent device tracking via Account Key injection
CVSS Score: 8.1 (High)
Affected Devices: JBL, Sony, Google Pixel Buds, Anker, Nothing, OnePlus, Beats, Bose, Jabra, Xiaomi, and many others.
pip install wpairgit clone https://github.com/markmysler/wpair-cli.git
cd wpair-cli
pip install -e ".[dev]"Discover nearby Bluetooth devices advertising Fast Pair service:
wpair scan --timeout 30Options:
--timeout N- Scan duration in seconds (default: 30)--all- Scan all BLE devices, not just Fast Pair
Example output:
┏━━━━━━━━━━━━━━━━━━━━┳━━━━━━━━━━━━━━━━━━┳━━━━━━━━━━┳━━━━━━━━┳━━━━━━━━━┓
┃ Name ┃ Address ┃ Model ID ┃ Signal ┃ Status ┃
┡━━━━━━━━━━━━━━━━━━━━╇━━━━━━━━━━━━━━━━━━╇━━━━━━━━━━╇━━━━━━━━╇━━━━━━━━━┩
│ Pixel Buds Pro 2 │ AA:BB:CC:DD:EE:FF│ 30018E │ ████ │ Unknown │
│ Sony WF-1000XM4 │ 11:22:33:44:55:66│ CD8256 │ ███ │ Unknown │
└────────────────────┴──────────────────┴──────────┴────────┴─────────┘
Test if a device is vulnerable without exploiting or pairing:
wpair test AA:BB:CC:DD:EE:FFThis performs a read-only test by sending a Key-Based Pairing request and interpreting the GATT error code. No pairing or modification occurs.
Output:
VULNERABLE- Device accepts unauthenticated pairing requestsPATCHED- Device correctly rejects unauthorized requestsERROR- Test inconclusive (device may already be paired)
wpair exploit AA:BB:CC:DD:EE:FF --confirmThe --confirm flag is required and serves as acknowledgment that you own the device or have explicit written permission.
What this does:
- Bypasses Key-Based Pairing authentication
- Establishes Bluetooth Classic bonding
- Writes persistent Account Key to device
- May enable microphone access via HFP profile
Display detailed information about the vulnerability:
wpair about| Feature | Description |
|---|---|
| BLE Scanner | Discovers Fast Pair devices broadcasting the 0xFE2C service UUID |
| Vulnerability Tester | Non-invasive check if device is patched against CVE-2025-36911 |
| Exploit Demonstration | Full proof-of-concept for authorized security testing |
| Device Database | 20+ known vulnerable device models with quirks handling |
| Multi-Strategy Exploitation | 4 different KBP request strategies with automatic fallback |
| Progress Tracking | Real-time progress display with Rich terminal UI |
The vulnerability exploits weaknesses in Google's Fast Pair Key-Based Pairing (KBP) protocol:
- Discovery: Scan for devices advertising Fast Pair service (UUID 0xFE2C)
- KBP Request: Send unauthenticated Key-Based Pairing request
- Address Extraction: Parse BR/EDR address from response
- Classic Bonding: Pair via Bluetooth Classic
- Account Key Injection: Write persistent tracking identifier
- Protocol: Google Fast Pair (GATT-based BLE service)
- Vulnerability: Insufficient authentication in Key-Based Pairing
- Crypto: ECDH (secp256r1) + AES-ECB
- Persistence: Account Key stored in device NVRAM
WPair includes a database of 20+ confirmed vulnerable devices:
- Google Pixel Buds (multiple models)
- Sony WF-1000XM4, WH-1000XM5
- JBL Tune Buds, Live Pro 2
- Nothing Ear, Ear (a), Ear (2)
- OnePlus Buds Pro 2
- Beats Studio Buds+
- Anker Soundcore Liberty 4 NC
See wpair/database/known_devices.py for full list.
wpair/
├── core/ # Core functionality
│ ├── device.py # Device data models
│ ├── scanner.py # BLE scanner
│ ├── vulnerability_tester.py # Non-invasive testing
│ └── exploit.py # Exploitation engine
├── bluetooth/ # Bluetooth adapters
│ └── classic_adapter.py # BR/EDR pairing
├── crypto/ # Cryptography
│ ├── ecdh.py # ECDH key exchange
│ └── aes.py # AES encryption
├── database/ # Known devices database
├── ui/ # User interface
│ └── terminal.py # Rich-based TUI
└── cli.py # Click-based CLI
This tool is for AUTHORIZED security testing ONLY.
✅ Allowed:
- Testing your own devices
- Authorized penetration testing with written permission
- Academic security research in controlled environments
- Defensive security to identify vulnerable devices
❌ FORBIDDEN:
- Testing devices you do not own
- Unauthorized access to any device
- Malicious use or privacy violations
Unauthorized access to Bluetooth devices is ILLEGAL under:
- USA: Computer Fraud and Abuse Act (CFAA), 18 U.S.C. § 1030
- UK: Computer Misuse Act 1990
- EU: Directive 2013/40/EU
- Similar legislation worldwide
By using this tool, you agree to use it only on devices you own or have explicit written permission to test.
python -m venv venv
source venv/bin/activate # or venv\Scripts\activate on Windows
pip install -e ".[dev]"pytestblack wpair/
ruff check wpair/mypy wpair/| Researcher | Affiliation |
|---|---|
| Sayon Duttagupta | COSIC Group |
| Nikola Antonijević | COSIC Group |
| Bart Preneel | COSIC Group |
| Seppe Wyns | DistriNet Group |
| Dave Singelée | DistriNet Group |
Funding: Flemish Government Cybersecurity Research Program (VOEWICS02)
Resources:
This project is licensed under the Apache License 2.0 - see the LICENSE file for details.
This application is an independent implementation created for security research purposes. The original KU Leuven researchers discovered and disclosed the vulnerability but have not released any code and are not affiliated with this project. Their inclusion in credits is solely to acknowledge their research contribution.
Built for the security research community.
