A security research toolkit for demonstrating CVE-2025-36911 (WhisperPair), a critical vulnerability in Google Fast Pair affecting hundreds of millions of Bluetooth audio devices.
WhisperPair allows attackers to forcibly pair with vulnerable Bluetooth earbuds and headphones without user interaction, potentially enabling:
- 🎤 Eavesdropping via device microphone
- 🔊 Audio injection into victim's earbuds
- 📍 Location tracking via Google Find Hub
- 🔐 Persistent access via account key injection
Affected Brands: Sony, Google, JBL, Jabra, Anker, Nothing, OnePlus, Xiaomi, Marshall, and more.
| Component | Description |
|---|---|
fastpair_exploit.py |
Python scanner, tester, and exploit tool |
esp32_vulnerable_earbud/ |
ESP32 firmware to emulate a vulnerable device |
DOCUMENTATION.md |
Full technical writeup and demo guide |
# Clone the repository
git clone https://github.com/yourusername/whisperpair-toolkit.git
cd whisperpair-toolkit
# Install dependencies
pip install -r requirements.txt# List known vulnerable devices
python fastpair_exploit.py list
# Scan for Fast Pair devices
python fastpair_exploit.py scan
# Test a specific device
python fastpair_exploit.py test AA:BB:CC:DD:EE:FF
# Run full exploit chain
python fastpair_exploit.py exploit AA:BB:CC:DD:EE:FF📡 Scanning for Fast Pair devices (10.0s)...
● Sony WF-1000XM4
Address: AA:BB:CC:DD:EE:FF RSSI: -45 dBm
Mode: idle | ⚠️ KNOWN VULNERABLE
Model ID: CD8256
──────────────────────────────────────────────────
📊 Found 1 device(s)
⚠️ 1 KNOWN VULNERABLE:
• Sony WF-1000XM4 (AA:BB:CC:DD:EE:FF)
For safe demonstration without real vulnerable devices, flash an ESP32 to emulate vulnerable earbuds.
- Install Arduino IDE with ESP32 support
- Open
esp32_vulnerable_earbud/esp32_vulnerable_earbud.ino - Select your ESP32 board (tested on ESP32-C6)
- Upload and open Serial Monitor (115200 baud)
The ESP32 will advertise as a vulnerable Fast Pair device, accepting unauthorized pairing requests and logging the attack in real-time.
See DOCUMENTATION.md for:
- Detailed vulnerability explanation
- Protocol analysis
- Classroom demo script
- Remediation guidance
| Manufacturer | Model | Status |
|---|---|---|
| Sony | WH-1000XM6/XM5/XM4 | Vulnerable (patch available) |
| Sony | WF-1000XM5/XM4 | Vulnerable (patch available) |
| Pixel Buds Pro 2 | Vulnerable (patch available) | |
| JBL | Tune Beam, Live Pro 2 | Vulnerable |
| Jabra | Elite 8 Active | Vulnerable |
| Anker | Soundcore Liberty 4 NC | Vulnerable |
| Nothing | Ear (a) | Vulnerable |
| OnePlus | Nord Buds 3 Pro | Vulnerable |
| Xiaomi | Redmi Buds 5 Pro | Vulnerable |
Full list: whisperpair.eu/vulnerable-devices
The only fix is a firmware update from your device manufacturer.
| Brand | Update Method |
|---|---|
| Sony | Sony Headphones Connect app |
| Automatic via Pixel Buds app | |
| JBL | JBL Headphones app |
| Jabra | Jabra Sound+ app |
| Anker | Soundcore app |
Updating your phone does not fix the vulnerability—the flaw is in the earbuds themselves.
- WhisperPair Official Site
- CVE-2025-36911 (NVD)
- KU Leuven Research Paper
- Google Fast Pair Specification
Original Research:
- COSIC Group, KU Leuven (Sayon Duttagupta, Nikola Antonijević, Bart Preneel)
- DistriNet Group, KU Leuven (Seppe Wyns, Dave Singelée)
This Toolkit:
- Steven Perumean (Python port & ESP32 emulator)
This toolkit is provided for educational and authorized security research purposes only.
- ✅ Test devices you own
- ✅ Use in controlled lab environments
- ✅ Educational demonstrations
- ❌ Unauthorized access to others' devices
- ❌ Eavesdropping or surveillance
- ❌ Any illegal activity
Unauthorized interception of communications is a federal crime.
The authors are not responsible for misuse of this software.
MIT License - See LICENSE for details.
Built for cybersecurity education at California Baptist University