WhisperPair in Google Fast Pair Bluetooth audio accessories

WhisperPair is a real Bluetooth exploit/testing harness rather than a simple detector. The repository is split into two main components: a TypeScript/Node.js backend in toolkit-server and a Next.js frontend in toolkit-ui, with top-level shell scripts to build and launch both. The backend is the core offensive component: it discovers nearby BLE devices via BlueZ/D-Bus, identifies Fast Pair-capable targets from advertisements and GATT services, resolves model metadata from Google’s Nearby/Fast Pair backend, and executes attack workflows against vulnerable Google Fast Pair accessories. The main exploit logic is concentrated in toolkit-server/src/fast-pair-service.ts and toolkit-server/src/protocol.ts. protocol.ts implements Fast Pair cryptographic message generation, including normal key-based pairing payloads, encrypted passkey messages, and crafted invalid-curve public keys for protocol abuse. fast-pair-service.ts orchestrates attacks against a selected device: it fetches the target’s anti-spoofing public key from Google, generates encrypted key-based pairing requests, listens for notifications on the Fast Pair GATT characteristics, initiates BR/EDR pairing through bluetoothctl, writes the encrypted passkey to the Fast Pair passkey characteristic, optionally writes a hardcoded account key, and can use the RFCOMM message stream for Audio Switch/switch-back behavior. The README and UI indicate three implemented attacks: pairing state predicate enforcement testing, nonce reuse testing, and invalid curve testing. The backend server in toolkit-server/src/index.ts exposes a small control API over HTTP and Socket.IO. HTTP endpoints include /devices for enumerating discovered devices and /reset for resetting the Bluetooth adapter. Socket.IO events drive higher-risk actions such as connecting to devices, reading model IDs, saving model IDs, unpairing, and launching attacks while streaming progress logs back to the UI. The server also executes local system tools such as hcitool, l2ping, hciconfig, rfcomm, bluetoothctl, and systemctl, showing that it is intended for a Linux host with privileged Bluetooth access. The model-id-resolver component uses gRPC to contact nearbydevices-pa.googleapis.com with Android-like metadata headers and an embedded Google API key to retrieve observed device metadata, including anti-spoofing public keys, names, images, and features. This metadata is cached locally in JSON files. The message-stream submodule handles RFCOMM discovery and communication, including SDP parsing to find the Fast Pair RFCOMM channel and sending authenticated Audio Switch messages. The frontend is an operator UI, not the exploit itself. It proxies /devices, /reset, and /socket.io to the backend, displays discovered devices, allows reading or manually setting model IDs, and provides controls for launching attacks with options such as reconnect, bond, switch back, and write account key. The UI also exposes the exact adapter reset commands that will be run on the host. Overall purpose: this repository is an operational research harness for reproducing and validating Google Fast Pair implementation weaknesses in nearby Bluetooth accessories. Its primary capability is unauthorized interaction with vulnerable Fast Pair devices, potentially leading to unauthorized pairing/bonding and persistent account-key registration on affected targets.

This repository is a small standalone Python Bluetooth exploitation toolkit centered on Google's Fast Pair protocol and explicitly claims to target CVE-2025-36911. It contains two code files: BLUE-SPY.py, which is an interactive terminal UI/wrapper, and fast_pair_exploit.py, which implements the core exploit engine. The remaining files are a README and MIT license. Repository structure and purpose: BLUE-SPY.py provides the user-facing menu, warning banners, scan history handling, and orchestration of engine actions. It imports FastPairExploitEngine and FastPairDevice from fast_pair_exploit.py. The main exploit logic resides in fast_pair_exploit.py, which defines a FastPairDevice dataclass and a FastPairExploitEngine class. The engine initializes result directories, defines Fast Pair service/characteristic UUIDs, performs BLE operations through the bleak library, offers menu-driven scan/target/exploitation workflows, and saves JSON results under blue_spy_results. Main exploit capabilities: The code is not a traditional RCE exploit and does not deliver a shell payload. Instead, it is an operational Bluetooth protocol attack tool. Its capabilities include scanning for nearby BLE/Fast Pair devices, identifying likely Fast Pair targets via the Fast Pair service UUID, connecting to specific device addresses with BleakClient, assessing vulnerability state, and running advanced exploitation/testing flows. The README and code comments indicate intended support for unauthorized pairing, HFP connection testing, and audio-related testing/capture workflows. The engine also persists scan and exploit results to disk, suggesting repeatable assessment rather than a one-off proof of concept. Attack surface and endpoints: The primary attack vector is short-range wireless/BLE interaction with nearby devices implementing the Fast Pair service. The most fingerprintable protocol identifiers are the Fast Pair service UUID 0000fe2c-0000-1000-8000-00805f9b34fb and characteristic UUIDs 1236, 1237, and 1238, corresponding to key-based pairing, passkey, and account key operations. On the local system, the tool writes artifacts to blue_spy_results/scans, blue_spy_results/exploits, and blue_spy_results/audio. No hardcoded remote C2, IP addresses, or external callback infrastructure were found. Assessment: Based on the available code, this is an exploit-oriented Bluetooth security testing tool rather than a mere detector. It contains real scanning/connection logic and structured exploitation workflows, but no customizable post-exploitation payload. That makes it best classified as OPERATIONAL rather than WEAPONIZED.

Repository contains a Python-based Bluetooth proximity exploit/research tool branded “BLUE-SPY” targeting CVE-2025-36911 in Google Fast Pair. Structure & roles: - BLUE-SPY.py: Interactive terminal UI wrapper. Imports FastPairExploitEngine from fast_pair_exploit.py, provides menu-driven workflows (scan, target selection, history viewing) and enforces an “I ACCEPT RESPONSIBILITY” prompt. - fast_pair_exploit.py: Core exploit engine. Uses Bleak (BleakScanner/BleakClient) to scan for BLE devices advertising/using the Fast Pair service (UUID FE2C), models devices as FastPairDevice objects, performs connection/service enumeration and Fast Pair characteristic interactions (key-based pairing/passkey/account key). It also creates a local results hierarchy (blue_spy_results/{scans,exploits,audio}) and saves JSON artifacts for scans/exploit attempts. - README.md: Installation and operational guidance (Linux/BlueZ, root requirement, dependencies) and describes capabilities including Fast Pair detection, vulnerability assessment, HFP connection testing, and audio capture for authorized testing. - LICENSE: MIT. Exploit capabilities (as implemented/described): - Proximity-based BLE scanning and identification of Fast Pair devices. - GATT connection and service/characteristic discovery against the Fast Pair service UUID. - Fast Pair protocol interaction paths referencing key-based pairing/passkey/account key characteristics (suggesting pairing-bypass/unauthorized pairing testing). - Post-pairing/adjacent testing features described in UI/README, notably HFP connectivity checks and potential audio capture (artifacts stored under blue_spy_results/audio). Fingerprintable targets/endpoints: - No hardcoded Internet URLs/IP C2 endpoints in code; the primary “endpoints” are Bluetooth identifiers (Fast Pair service/characteristic UUIDs) and local filesystem output paths under blue_spy_results/. Overall purpose: - A local, menu-driven security assessment tool for researching/validating Fast Pair weaknesses (CVE-2025-36911) in nearby devices, producing logs/reports and enabling controlled exploitation demonstrations in authorized environments.

Repository is an Android (Kotlin/Jetpack Compose) application named "WhisperPair" (namespace com.zalexdev.whisperpair) that demonstrates and exploits CVE-2025-36911 in Google Fast Pair implementations. Core capabilities: - BLE scanning for Fast Pair devices via service UUID 0000fe2c-0000-1000-8000-00805f9b34fb (Scanner.kt). It parses Fast Pair service data to infer pairing mode vs idle/account-key-filter state. - Vulnerability testing without full exploitation (VulnerabilityTester.kt): connects over GATT to the Fast Pair service and writes a crafted Key-Based Pairing request to fe2c1234-8366-4814-8eb0-01de32100bea; interprets GATT write status to label device VULNERABLE vs PATCHED. - Full exploit chain (FastPairExploit.kt): implements a multi-strategy Fast Pair Key-Based Pairing procedure intended to pair/bond with devices that incorrectly accept KBP while not in pairing mode. Includes reliability features (timeouts, retries, MTU negotiation), response parsing strategies, passkey handling, and optional account key write (fe2c1236-...). - Post-exploitation audio chain (BluetoothAudioManager.kt + FastPairExploit.exploitWithAudio): after pairing, attempts to connect HFP/HSP (SCO) audio profile and provides microphone-related functionality (record/listen) using Android AudioRecord/AudioTrack, storing recordings to app storage and sharing via FileProvider. Repository structure/purpose: - app/src/main/java/... contains the main logic: MainActivity.kt (UI + orchestration), Scanner.kt (BLE discovery), VulnerabilityTester.kt (safe test), FastPairExploit.kt (exploit implementation), BluetoothAudioManager.kt (HFP audio + recording), FastPairDevice.kt (device model + known device DB). - app/src/main/AndroidManifest.xml requests BLUETOOTH_SCAN/CONNECT, location, RECORD_AUDIO, and MODIFY_AUDIO_SETTINGS, consistent with scanning and audio capture. - UI includes informational links (whisperpair.eu, YouTube, WIRED, 9to5Google) but no C2 or exfiltration endpoints were observed; network usage appears limited to opening links in the user’s browser. Overall, this is an operational Bluetooth-proximity exploit app: it targets nearby Fast Pair-capable audio accessories and can progress from unauthorized pairing to establishing an HFP audio path that could enable microphone access, contingent on device/OS behavior and user-granted permissions.

Repository purpose: a Python 3.8+ CLI tool (“WhisperPair”) to scan, test, and exploit Google Fast Pair devices vulnerable to CVE-2025-36911 (accepting Key-Based Pairing requests outside pairing mode). It uses the `bleak` library for Bluetooth LE scanning/GATT operations and optionally `cryptography` for ECDH (P-256) and AES-128-ECB used in spec-compliant/encrypted KBP requests. Key exploit capabilities (utils/exploit.py): - Connects to a target BLE device and locates the Fast Pair service (UUID 0000fe2c-0000-1000-8000-00805f9b34fb). - Enables notifications on the Key-Based Pairing characteristic (fe2c1234-8366-4814-8eb0-01de32100bea) and optionally the Passkey characteristic (fe2c1235-8366-4814-8eb0-01de32100bea). - Sends KBP requests using multiple strategies (core/exploit.py): ENCRYPTED_ECDH, ENCRYPTED_RETROACTIVE, RAW_WITH_PUBKEY, RAW_KBP, RAW_WITH_SEEKER, RETROACTIVE, EXTENDED_RESPONSE. This increases compatibility across broken/variant implementations. - Parses KBP responses to recover the provider’s BR/EDR (classic Bluetooth) address, then performs passkey confirmation if required. - Writes a randomly generated 16-byte Account Key to the Account Key characteristic (fe2c1236-8366-4814-8eb0-01de32100bea), providing persistent future pairing capability. Defensive testing (utils/tester.py): - Implements a non-invasive check by attempting a KBP write (16-byte request) and classifying the device as VULNERABLE if the write succeeds, PATCHED if it is rejected with common GATT/security errors. Scanning/fingerprinting (utils/scanner.py + core/constants.py): - BLE scans for Fast Pair service data and parses advertisements to determine pairing mode (3-byte Model ID) vs idle/paired mode (account key filter bits). - Includes a database of known Model IDs and whether they are known vulnerable/patched (core/constants.py: KNOWN_DEVICES), used for prioritization in UI. Repository structure: - whisperpair-cli.py: main entry point; provides commands: scan, info, test, exploit (including quick auto-scan+exploit). - core/: protocol constants (UUIDs, message types, timeouts), device model (FastPairDevice), exploit strategy/result models. - utils/: operational logic for scanning (FastPairScanner), testing (VulnerabilityTester), exploitation (FastPairExploit). - ui/: ANSI color utilities, banner, and a live-updating terminal display for scan results. No hardcoded C2 infrastructure is present; the only network-like endpoints are Bluetooth GATT UUIDs and user-supplied BLE MAC addresses. External URLs appear only in documentation/credits.

Repository is an Android (Kotlin/Jetpack Compose) application named “WhisperPair / WPair” implementing a scanner, vulnerability tester, and proof-of-concept exploit for CVE-2025-36911 ("WhisperPair") in Google Fast Pair. Core capabilities: - BLE scanning for Fast Pair advertisements using service UUID 0xFE2C (Scanner.kt). It parses service data to infer pairing mode (3-byte Model ID) vs idle mode (Account Key Filter present) and tracks RSSI/last-seen. - Defensive vulnerability test (VulnerabilityTester.kt): connects over BLE GATT to the Fast Pair service and attempts a Key-Based Pairing characteristic write. If the write succeeds (GATT_SUCCESS), it flags the device as VULNERABLE; if rejected with common auth/encryption/write-permission errors, it flags PATCHED. - Exploit implementation (FastPairExploit.kt): performs a multi-strategy Key-Based Pairing bypass against devices that do not verify signatures, negotiates MTU, parses KBP responses to extract the provider’s BR/EDR address, triggers Bluetooth Classic bonding (including passkey handling/confirmation), and writes an Account Key for persistence. It also offers an “exploitWithAudio” chain that, after pairing, connects the HFP profile. - Post-exploitation audio access (BluetoothAudioManager.kt): manages Bluetooth Headset (HFP/HSP) and A2DP profile proxies, starts SCO audio, and supports live listening (AudioTrack playback) and recording to local files (with FileProvider support for sharing). Repository structure/purpose: - app/src/main/java/com/zalexdev/whisperpair/ - MainActivity.kt: Compose UI, permission handling, device list, actions (Scan/Test/Magic), and links/resources. - Scanner.kt: BLE scan logic and Fast Pair advertisement parsing. - VulnerabilityTester.kt: non-invasive KBP acceptance test. - FastPairExploit.kt: PoC exploit chain with retries/fallback strategies and optional audio chaining. - BluetoothAudioManager.kt: HFP connection + SCO audio capture/playback + recording management. - FastPairDevice.kt: device model + a small known-device/model-ID database for identification. - app/src/main/res/: UI resources, themes, and FileProvider paths. Notable endpoints/targets are primarily Bluetooth protocol identifiers (Fast Pair service/characteristics UUIDs) rather than internet C2. The only network URLs present are informational links in README/UI. Overall, this is an operational proximity-wireless exploit tool (with a built-in scanner and tester) intended for authorized security research on vulnerable Fast Pair-enabled Bluetooth audio devices.

Repository purpose: a Python-based security research toolkit and reference implementation for WhisperPair (CVE-2025-36911), a Google Fast Pair vulnerability where some Bluetooth accessories accept Key-Based Pairing requests even when not in pairing mode. The code focuses on discovery and verification (PoC), not post-exploitation. Core capabilities: - BLE scanning for devices advertising Google Fast Pair (service UUID 0xFE2C), parsing Fast Pair service data to infer whether a device is in pairing mode. - Active verification by connecting to a target over BLE GATT and writing a 16-byte Key-Based Pairing request to the Key-Based Pairing characteristic (fe2c1234-...); any notification/response is treated as a vulnerability indicator. - Optional cryptographic helpers (AES-128 ECB single-block, ECDH P-256 keypair generation, account key generation/encryption) and protocol builders/parsers for Fast Pair messages. - CLI and TUI interfaces with explicit authorization gating (e.g., --authorized and typed confirmation) to reduce accidental misuse. Repository structure (notable files): - src/whisperpair/scanner.py: Uses BleakScanner to discover BLE devices and filters for Fast Pair UUID/service_data; parses service data to create FastPairDevice objects and flags devices not in pairing mode as potential candidates. - src/whisperpair/client.py: Implements FastPairClient using BleakClient; sends encrypted Key-Based Pairing requests, subscribes to notifications, and returns VerificationResult. Includes send_raw_pairing_probe() and verify_pairing_behavior() where response presence is the primary signal. - src/whisperpair/protocol.py: Builds 16-byte KeyBasedPairingRequest packets with multiple strategies/flags (e.g., 0x11 initiate bonding + extended response) and parses responses; includes multi-strategy MAC extraction (including brute scanning for MAC-like patterns). - src/whisperpair/crypto.py: AES-128 ECB encrypt/decrypt for single 16-byte blocks; ECDH P-256 key generation and shared-secret derivation; account key generation and encryption for writing. - src/whisperpair/constants.py: Fast Pair service/characteristic UUIDs and known model IDs. - src/whisperpair/cli.py and src/whisperpair/tui.py (+ tui.tcss): Interactive CLI/TUI wrappers around scanning/info/verification. - security_demo.py and examples/*: Standalone/demo scripts showing scanning and verification flows. Fingerprintable targets/endpoints: - BLE/GATT UUIDs: Fast Pair service 0000fe2c-0000-1000-8000-00805f9b34fb and characteristics fe2c1233-... through fe2c1238-..., especially Key-Based Pairing fe2c1234-... (primary verification target). - External references (docs only): whisperpair.eu, cve.mitre.org CVE page, developers.google.com Fast Pair specs, YouTube links. Assessment: - This is an operational PoC/verification toolkit for a Bluetooth proximity attack surface. It performs active Bluetooth operations (connect + GATT write/notify) and can confirm vulnerable behavior, but it does not implement full hijack/eavesdropping workflows in the provided codebase.

Repository purpose: An Android (Kotlin/Jetpack Compose) security research app named "WhisperPair" that scans for Google Fast Pair BLE advertisements (service 0xFE2C), tests for CVE-2025-36911, and includes a full proof-of-concept exploit chain that can pair with vulnerable Bluetooth audio devices and demonstrate post-pairing microphone access via HFP/SCO. Key exploit capabilities (core logic in app/src/main/java/com/zalexdev/whisperpair/FastPairExploit.kt): - Performs Fast Pair Key-Based Pairing interactions over BLE GATT using the Fast Pair service UUID 0000fe2c-0000-1000-8000-00805f9b34fb. - Targets the Key-Based Pairing characteristic (fe2c1234-8366-4814-8eb0-01de32100bea) and related Passkey/Account Key characteristics. - Implements the exploit flow described in the README: send Key-Based Pairing request(s) that vulnerable devices accept without proper signature verification, parse the response to obtain the device’s BR/EDR address, then initiate Bluetooth Classic bonding (createBond) and optionally write an Account Key for persistence. - Chains exploitation into audio access: after pairing, connects the Bluetooth HEADSET profile and starts SCO audio to access the microphone stream. Defensive testing component (app/src/main/java/com/zalexdev/whisperpair/VulnerabilityTester.kt): - Non-invasive check that connects via GATT and attempts a Key-Based Pairing write; if the write succeeds (GATT_SUCCESS) it marks the device VULNERABLE; if rejected with common auth/encryption/write errors it marks PATCHED. Discovery/fingerprinting (app/src/main/java/com/zalexdev/whisperpair/Scanner.kt and FastPairDevice.kt): - BLE scanning filters on the Fast Pair service UUID and parses service data to infer pairing mode (3-byte Model ID) vs idle mode (Account Key Filter flags). - Includes a small built-in model ID database (KnownDevices) to label devices/manufacturers and indicate known vulnerable models. Post-exploitation audio handling (app/src/main/java/com/zalexdev/whisperpair/BluetoothAudioManager.kt): - Manages Bluetooth HEADSET/A2DP profile proxies, registers receivers for SCO/headset state changes, and supports live listening and recording (stored locally and shared via FileProvider). UI/entry point (app/src/main/java/com/zalexdev/whisperpair/MainActivity.kt): - Compose UI to scan, test, run the "Magic" exploit, connect HFP, and manage recordings; also contains outbound informational links (website, vulnerable device list, media). Overall structure: - app/src/main/java/com/zalexdev/whisperpair/: core modules (Scanner, VulnerabilityTester, FastPairExploit, BluetoothAudioManager, UI). - app/src/main/res/: Compose theme resources, FileProvider paths, and app manifest permissions (Bluetooth scan/connect, location, record audio). Notable endpoints/targets: - Bluetooth endpoints are primarily UUIDs for Fast Pair service/characteristics and the Bluetooth Classic bonding + HFP/SCO audio stack. - Network/web URLs present are informational links opened in the UI/README (whisperpair.eu, YouTube, WIRED, 9to5Google, etc.), not C2 infrastructure. Assessment: - This is a real exploit PoC packaged as an Android app (not a framework module). It includes an operational payload (pairing + audio access) rather than only detection, so maturity is best characterized as OPERATIONAL.