WPair Tool Detects WhisperPair Flaw Scanner Google’s

A new Android application, WPair, has emerged, designed to identify and demonstrate the CVE-2025-36911 vulnerability. This critical flaw affects millions of Bluetooth audio devices worldwide.

The tool addresses a critical authentication bypass flaw discovered by KU Leuven researchers in Google’s Fast Pair protocol, commonly referred to as WhisperPair.​

CVE-2025-36911 represents a systemic failure in Fast Pair implementations across multiple manufacturers and chipsets. The vulnerability stems from improper enforcement of pairing mode verification.

According to the WhisperPair research, many devices fail to disregard pairing requests from unauthorized sources when not explicitly in pairing mode.

Allowing attackers to forcibly establish connections within seconds at ranges up to 14 meters. The attack requires no user interaction or physical device access, making it particularly dangerous for consumer audio equipment.​

WPair Functionality

The application provides three core scanning and testing modes. The BLE Scanner discovers nearby Fast Pair devices by identifying devices that broadcast the 0xFE2C service UUID.

The Vulnerability Tester performs non-invasive checks to determine patch status without establishing connections.

For authorized security research, the Exploit feature demonstrates the complete attack chain, including key-based pairing bypass, BR/EDR address extraction, and Bluetooth Classic bonding.​

Post-exploitation capabilities include accessing the Hands-Free Profile for microphone functionality.

Users can enable live audio streaming directly to their phone speaker or save captured audio as M4A files for forensic analysis.​

The vulnerability allows attackers to hijack devices without authorization, enabling them to control audio playback, record conversations, and potentially establish persistent tracking through Google’s Find Hub Network.

If a device has never connected to an Android device, attackers can add it to their own account for location tracking, exploiting the mechanism that designates the first Account Key writer as the device owner.​

Affected manufacturers include JBL, Harman Kardon, Sony, Marshall, and numerous others, impacting an estimated hundreds of millions of users globally.

Technical Requirements and Installation Options

Google classified this issue as critical and awarded researchers the maximum $15,000 bounty. The 150-day disclosure window ended in January 2026, and manufacturers are now releasing patches.

WPair explicitly excludes Find Hub Network provisioning functionality to maintain ethical boundaries around stalkerware implementation.​

WPair requires Android 8.0 or higher with Bluetooth LE support and appropriate location permissions. The application is available both as a precompiled APK and as a compiled source via Gradle.

According to the advisory, security researchers should verify they possess explicit written authorization before testing devices they do not own.

The tool represents a significant advancement in vulnerability assessment for the IoT audio ecosystem, enabling manufacturers and security teams to identify affected devices requiring immediate firmware updates.

Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.