WPair Scanner Released to Detect WhisperPair Flaw in Google Fast Pair Protocol

Security researcher released WPair, an open-source Android application designed to identify and test devices vulnerable to CVE-2025-36911, a critical authentication bypass flaw in Google’s Fast Pair Bluetooth protocol.

The vulnerability, commonly known as WhisperPair, affects millions of Bluetooth audio devices worldwide, enabling unauthorized pairing and potentially granting unauthorized access to microphones without user consent.

Vulnerability Overview

CVE-2025-36911 represents a significant cryptographic weakness in the Fast Pair Key-Based Pairing mechanism.

The vulnerability stems from missing signature verification on pairing requests and the absence of user confirmation requirements, allowing attackers to establish persistent Bluetooth connections to vulnerable devices.

Researchers from KU Leuven’s COSIC and DistriNet groups discovered the vulnerability through systematic protocol analysis.

The attack chain begins with BLE scanning for devices broadcasting the 0xFE2C Fast Pair service UUID, proceeds through key-based pairing bypass, and culminates in Bluetooth Classic bonding that provides permanent audio profile access.

The flaw allows attackers to write persistent Account Keys, enabling covert device tracking through Google’s Find Hub Network infrastructure.

WPair Scanner Capabilities

The tool provides security researchers with three operational modes: vulnerability scanning for unpatched devices, non-invasive testing that determines patch status without triggering pairing, and proof-of-concept exploitation for authorized security assessments.

Post-exploitation, the application enables Hands-Free Profile audio access, enabling real-time microphone listening and M4A-format recording.

Feature	Description	Status	Use Case
BLE Scanner	Discovers Fast Pair devices broadcasting 0xFE2C service UUID	Active	Device inventory and reconnaissance
Vulnerability Tester	Non-invasive check to determine if device is patched against CVE-2025-36911	Active	Risk assessment without triggering pairing
Exploit Demonstration	Full proof-of-concept exploitation for authorized security testing	Active	Authorized vulnerability validation
HFP Audio Access	Demonstrates microphone access via Hands-Free Profile post-exploitation	Active	Impact demonstration
Live Listening	Real-time audio streaming to phone speaker	Active	Proof-of-concept microphone access
Recording	Capture and save audio streams as M4A files	Active	Evidence collection and testing

Field	Details
CVE ID	CVE-2025-36911
Vulnerability Type	Authentication Bypass / Cryptographic Weakness

Attackers exploiting WhisperPair can establish persistent connections to victim headphones without explicit consent, access microphone streams for eavesdropping, and build location-tracking infrastructure through Account Key persistence.

Unlike traditional Bluetooth exploits requiring proximity during pairing, CVE-2025-36911 enables post-pairing compromise of already-configured devices.

Installation requires Android 8.0 or higher with Bluetooth LE support; the application is available via GitHub releases or direct compilation from source code.

Notably, the WPair implementation deliberately excludes FMDN provisioning functionality to prevent weaponization as stalkerware, demonstrating responsible disclosure principles.

Device manufacturers face urgent remediation requirements through firmware updates, implementing cryptographic signature verification and explicit user confirmation mechanisms.

Users should monitor vendor security advisories and apply patches promptly, especially for frequently used audio devices.

Follow us on Google News , LinkedIn and X to Get More Instant Updates. Set Cyberpress as a Preferred Source in Google.

The post WPair Scanner Released to Detect WhisperPair Flaw in Google Fast Pair Protocol appeared first on Cyber Security News.