https://github.com/SpectrixDev/DIY_WhisperPair
Hijacking Bluetooth Accessories Using Google Fast Pair: WhisperPair CVE-2025-36911 Reference Implementation & Vulnerability Verification Toolkit
https://github.com/SpectrixDev/DIY_WhisperPair
bluetooth cve-2025-36911 cybersecurity python whisperpair
Last synced: about 1 month ago
JSON representation
Hijacking Bluetooth Accessories Using Google Fast Pair: WhisperPair CVE-2025-36911 Reference Implementation & Vulnerability Verification Toolkit
- Host: GitHub
- URL: https://github.com/SpectrixDev/DIY_WhisperPair
- Owner: SpectrixDev
- License: other
- Created: 2026-01-17T01:18:36.000Z (5 months ago)
- Default Branch: master
- Last Pushed: 2026-01-18T13:14:21.000Z (5 months ago)
- Last Synced: 2026-02-11T21:04:35.818Z (4 months ago)
- Topics: bluetooth, cve-2025-36911, cybersecurity, python, whisperpair
- Language: Python
- Homepage:
- Size: 206 KB
- Stars: 57
- Watchers: 4
- Forks: 9
- Open Issues: 2
-
Metadata Files:
- Readme: README.md
- License: LICENSE
- Security: security_demo.py
Awesome Lists containing this project
README
# DIY-WhisperPair
**CVE-2025-36911 Reference Implementation & Vulnerability Verification Toolkit**
[](https://whisperpair.eu)
[](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-36911)
[](https://whisperpair.eu)
> **LEGAL NOTICE**: This is a security research tool. **Read [LEGAL.md](LEGAL.md) before use.** Unauthorized access to computer systems is a criminal offence.
---
## What is WhisperPair?
**Hijacking Bluetooth Accessories Using Google Fast Pair.**
**[WhisperPair](https://whisperpair.eu) (CVE-2025-36911)** is a critical vulnerability that allows attackers to forcefully pair with flagship audio accessories **without user consent**, often in under 10 seconds.
**`DIY-WhisperPair`** is a research toolkit implementing these attacks to demonstrate three key risks:
* **Device Hijacking**: Seizing control of audio and microphone streams by bypassing pairing mode checks.
* **Location Tracking**: Maliciously registering devices to Google's Find Hub Network to stalk victims.
* **Cross-Ecosystem Impact**: Exploiting accessories regardless of the paired phone (iOS or Android).
> [!NOTE]
> **Research Only**: This toolkit contains **Proof-of-Concept** scanners and verifiers. It does **not** include tools for active eavesdropping, persistent location tracking, or malicious payload injection. Its purpose is solely to identify vulnerable devices.
---
## Quick Start
```bash
# Install
git clone https://github.com/SpectrixDev/DIY_WhisperPair.git
cd DIY_WhisperPair
pip install -e .
# Run interactive CLI
whisperpair
```
This launches an interactive menu:
```
╦ ╦╦ ╦╦╔═╗╔═╗╔═╗╦═╗╔═╗╔═╗╦╦═╗
║║║╠═╣║╚═╗╠═╝║╣ ╠╦╝╠═╝╠═╣║╠╦╝
╚╩╝╩ ╩╩╚═╝╩ ╚═╝╩╚═╩ ╩ ╩╩╩╚═
────────────── Main Menu ──────────────
1 Scan Discover Fast Pair devices nearby
2 Verify Test device vulnerability (requires authorization)
3 Info Get detailed device information
4 About Learn about CVE-2025-36911
0 Exit Quit the application
Select option [1]:
```
---
## For Researchers: Python API
This library is designed to be **easily extensible**. Import what you need:
### Simple Functions
```python
import asyncio
from whisperpair import scan_devices, verify_device, get_device_info
# Scan for Fast Pair devices
devices = asyncio.run(scan_devices(timeout=10))
for d in devices:
print(f"{d.address} - {d.name} - Risk: {'HIGH' if not d.is_in_pairing_mode else 'Low'}")
# Find only vulnerable devices (not in pairing mode)
vulnerable = asyncio.run(scan_devices(vulnerable_only=True))
# Verify a specific device (REQUIRES AUTHORIZATION)
result = asyncio.run(verify_device("AA:BB:CC:DD:EE:FF"))
if result.success:
print(f"VULNERABLE - Provider: {result.provider_address}")
# Get device info
info = asyncio.run(get_device_info("AA:BB:CC:DD:EE:FF"))
print(f"Model: {info['model_name']}")
```
### Building Custom Tools
```python
from whisperpair import (
# Scanner
FastPairScanner,
FastPairDevice,
# Client
FastPairClient,
VerificationResult,
# Protocol
KeyBasedPairingRequest,
KeyBasedPairingResponse,
PairingRequestFlags,
parse_bluetooth_address,
parse_kbp_response_multi_strategy,
# Crypto
FastPairCrypto,
aes_128_encrypt,
aes_128_decrypt,
generate_account_key,
# Constants
FAST_PAIR_SERVICE_UUID,
KEY_BASED_PAIRING_CHAR_UUID,
KNOWN_MODEL_IDS,
)
# Custom scanner with callbacks
def on_found(device: FastPairDevice):
if not device.is_in_pairing_mode:
print(f"[!] Potential target: {device.address}")
scanner = FastPairScanner(timeout=15, on_device_found=on_found)
asyncio.run(scanner.scan())
# Build raw protocol packets (flags 0x11 = INITIATE_BONDING | EXTENDED_RESPONSE)
target_bytes = parse_bluetooth_address("AA:BB:CC:DD:EE:FF")
request = KeyBasedPairingRequest.for_verification(provider_address=target_bytes)
packet = request.build() # 16-byte plaintext
# Multiple verification strategies available:
# - strategy_raw_kbp() - flags 0x11, works on most vulnerable devices
# - strategy_with_seeker() - flags 0x02, includes seeker address
# - strategy_retroactive() - flags 0x0A, bypasses some checks
# - strategy_extended() - flags 0x10, for newer devices
# Full custom flow (AES key optional - response detection alone indicates vulnerability)
async with FastPairClient("AA:BB:CC:DD:EE:FF") as client:
model_id = await client.read_model_id()
result = await client.verify_pairing_behavior() # No key needed for detection
if result.response_received:
print("VULNERABLE - device responded when it shouldn't")
```
### Example Scripts
See [`examples.py`](examples.py) for copy-paste ready examples:
```bash
python examples.py scan # Basic scanning
python examples.py vulnerable # Find vulnerable devices
python examples.py verify AA:BB:CC:DD:EE:FF
python examples.py custom # Scanner with callbacks
```
---
## CLI Commands
### Interactive Mode (Default)
```bash
whisperpair
```
### Direct Commands
```bash
# Scan for devices
whisperpair scan
whisperpair scan --vulnerable
whisperpair scan --timeout 15
# Get device info
whisperpair info AA:BB:CC:DD:EE:FF
# Verify vulnerability (requires flags)
whisperpair verify AA:BB:CC:DD:EE:FF --authorized
# Learn about the vulnerability
whisperpair about
```
---
## Legal Requirements
### You MUST Have Authorization
This tool performs active Bluetooth operations. **Before running any verification commands**, you must have:
1. **Written permission** from the device owner, OR
2. **Own the device** yourself
### Jurisdiction-Specific Laws
| Jurisdiction | Relevant Law |
|--------------|--------------|
| **UK** | Computer Misuse Act 1990, Section 1-3A |
| **US** | Computer Fraud and Abuse Act (CFAA) |
| **EU** | Directive 2013/40/EU |
| **Germany** | § 202a-c StGB |
| **Australia** | Criminal Code Act 1995, Part 10.7 |
**See [LEGAL.md](LEGAL.md) for detailed guidance.**
---
## The Vulnerability (CVE-2025-36911)
### The Flaw
Google Fast Pair requires devices to **only accept pairing requests when in pairing mode**. Many devices fail this check:
```
EXPECTED: Device checks "Am I in pairing mode?" → NO → Reject
ACTUAL: Device accepts request regardless of mode state
```
### How Detection Works
The vulnerability is detected by checking if a device **responds at all** to a Key-Based Pairing request when not in pairing mode:
```mermaid
graph TD
subgraph Packet["Key-Based Pairing Request (16 bytes)"]
direction LR
B0["0x00"]
B1["0x11"]
MAC["MAC: 6 bytes"]
Salt["Salt: 8 bytes"]
end
B0:::byte -- "Message Type" --> Desc0["Key-Based Pairing Request"]
B1:::byte -- "Flags" --> Desc1["INITIATE_BONDING | EXTENDED_RESP"]
classDef byte fill:#e1f5fe,stroke:#333,stroke-width:1px;
```
Detection: Response received = VULNERABLE (no AES key needed!)
### Impact
An attacker within Bluetooth range (~10-14m) can:
- **Play audio** through victim's headphones
- **Access microphone** for surveillance
- **Track location** via Google Find Hub
### Affected Devices (Pre-Patch)
| Manufacturer | Devices |
|--------------|---------|
| Google | Pixel Buds Pro 2 |
| Sony | WF-1000XM4, WH-1000XM5, LinkBuds S |
| JBL | Tune Buds, Live Pro 2 |
| Anker | Soundcore Liberty 4 |
| Others | See [whisperpair.eu](https://whisperpair.eu) |
---
## Project Structure
```
DIY_WhisperPair/
├── src/whisperpair/
│ ├── __init__.py # Public API exports
│ ├── scanner.py # BLE device discovery
│ ├── client.py # GATT client & verification
│ ├── protocol.py # Packet builders
│ ├── crypto.py # AES-128, ECDH, keys
│ ├── constants.py # UUIDs, Model IDs
│ └── cli.py # Interactive CLI
├── examples.py # Copy-paste code snippets
├── security_demo.py # Standalone verification demo
├── LEGAL.md
└── README.md
```
---
## Installation
```bash
git clone https://github.com/SpectrixDev/DIY_WhisperPair.git
cd DIY_WhisperPair
python3 -m venv venv
source venv/bin/activate # Linux/macOS
pip install -e .
```
### Requirements
- Python 3.10+
- Bluetooth adapter with BLE support
- Linux: BlueZ 5.50+
- Windows: Windows 10 1703+
- macOS: macOS 10.13+
---
## References
### Original Research
- **Website**: [whisperpair.eu](https://whisperpair.eu)
- **CVE**: [CVE-2025-36911](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-36911)
- **Paper**: "WhisperPair: Hijacking Bluetooth Accessories Using Google Fast Pair"
- **Authors**: KU Leuven DistriNet (Duttagupta, Antonijević, Preneel, Wyns, Singelée)
### Technical Docs
- [Google Fast Pair Spec](https://developers.google.com/nearby/fast-pair/specifications/introduction)
- [Key-based Pairing Protocol](https://developers.google.com/nearby/fast-pair/specifications/characteristics#key-based_pairing)
### Video
[](https://www.youtube.com/watch?v=-j45ShJINtc)
---
## Responsible Use
This tool is provided **solely** for:
- Security research and vulnerability verification
- Authorized penetration testing
- Device manufacturer validation
- Educational purposes
**NOT for**: Unauthorized access, harassment, surveillance, or any illegal activity.
---
## License
MIT License - See [LICENSE](LICENSE)
---
## Acknowledgments
- **SpectrixDev** - Project Maintainer
- **KU Leuven DistriNet** - Original research
- **Google Android Security Team** - Coordinated disclosure
- **Seytonic** - [Excellent explainer video](https://www.youtube.com/watch?v=Ux07J-wS2VA)