Skip to content

WPair — CVE-2025-36911 (WhisperPair) Vulnerability Scanner &... #1779

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
carlospolop merged 1 commit into from
Jan 22, 2026
Merged

WPair — CVE-2025-36911 (WhisperPair) Vulnerability Scanner &... #1779

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
11 changes: 11 additions & 0 deletions src/todo/radio-hacking/pentesting-ble-bluetooth-low-energy.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -262,13 +262,24 @@ for off in range(0, len(img_bytes), CHUNK):

</details>

### Fast Pair (0xFE2C) Key-Based Pairing signature bypass (WhisperPair/CVE-2025-36911)

- **Discovery:** Scan BLE advertisements for **service UUID 0xFE2C** (Google Fast Pair). Devices in pairing mode typically expose a pairing badge; even out of pairing mode the Fast Pair service can respond to GATT.
- **Non-invasive probe (signature enforcement check):**
1. GATT **connect** to the Fast Pair service and **read the Model ID**.
2. **Write a Key-Based Pairing (KBP) value without a signature**. If the peripheral accepts the unsigned KBP write, it is susceptible to the signature-bypass (WhisperPair/CVE-2025-36911). Rejection indicates patching; failures may be inconclusive if already paired.
- **BLE → BR/EDR pivot:** Send a **KBP Request** and parse the **encrypted response** to recover the target’s **BR/EDR address**. Use a classic bonding call (e.g., Android **`createBond(<BR/EDR address>)`**) to complete unauthorized pairing. Where supported, writing an **Account Key** persists the association.
- **Post-bond microphone abuse:** After bonding, open **HFP** and start **SCO audio** to obtain a live microphone stream for listening/recording (e.g., saving M4A). This chain turns an unsigned KBP acceptance into remote audio capture without user consent.
- **Hunt/detect:** Look for Fast Pair GATT traffic followed immediately by classic **bonding attempts to the BR/EDR address returned in KBP**, and for KBP writes lacking a signature. Enforcing signature validation on KBP and prompting for user-confirmed pairing breaks the chain.

## Operational notes

- Prefer Sonoff+Sniffle on Linux for robust channel hopping and connection following. Keep a spare Nordic sniffer as a backup.
- Without pairing/bonding, any nearby attacker can observe writes and replay/craft their own to unauthenticated writable characteristics.

## References

- [WPair — CVE-2025-36911 (WhisperPair) vulnerability scanner & research tool](https://github.com/zalexdev/wpair-app)
- [Start hacking Bluetooth Low Energy today! (part 2) – Pentest Partners](https://www.pentestpartners.com/security-blog/start-hacking-bluetooth-low-energy-today-part-2/)
- [Sniffle – A sniffer for Bluetooth 5 and 4.x LE](https://github.com/nccgroup/Sniffle)
- [Firmware installation for Sonoff USB Dongle (Sniffle README)](https://github.com/nccgroup/Sniffle?tab=readme-ov-file#firmware-installation-sonoff-usb-dongle)
Expand Down