THIS SOFTWARE IS FOR AUTHORIZED SECURITY RESEARCH AND ETHICAL TESTING ONLY
WHISPER (Wireless Hardware Inspection & Security Protocol Exploitation Research) is a security assessment tool for analyzing CVE-2025-36911 vulnerabilities in Google's Fast Pair protocol implementation. The tool provides:
- Real-time Bluetooth device scanning and enumeration
- Fast Pair device detection and vulnerability assessment
- Hands-Free Profile (HFP) connection testing
- Audio capture capabilities for authorized testing
- Professional reporting and logging
git clone https://github.com/ekomsSavior/whisper.git
cd whispersudo apt-get update
sudo apt-get install python3-pip bluetooth bluez libbluetooth-devpip3 install bleak dbus-python --break-system-packages
#if you dont want to run break system packages do a VENV...# Stop existing Bluetooth service
sudo systemctl stop bluetooth
# Enable and restart Bluetooth service
sudo systemctl enable bluetooth
sudo systemctl start bluetooth
# Check Bluetooth status
sudo systemctl status bluetooth
hciconfig -a
# Ensure Bluetooth is discoverable
sudo hciconfig hci0 piscan# Always run with root privileges (required for Bluetooth)
sudo python3 whisper.py
Scans for devices using Google's Fast Pair protocol. Duration options:
- Quick scan (10 seconds)
- Standard scan (30 seconds)
- Deep scan (60 seconds)
- Custom duration
Displays all Bluetooth devices in real-time, highlighting Fast Pair devices with vulnerability ratings.
Allows targeting a specific device by MAC address for detailed analysis.
Shows detailed information about previously discovered devices.
Attempts exploitation of CVE-2025-36911 on a selected device (requires confirmation).
Attempts exploitation on all discovered devices (requires explicit confirmation).
Tests Hands-Free Profile connectivity for audio access capabilities.
Attempts audio capture from HFP-connected devices (requires established connection).
Displays previously saved scan results from the results directory.
Clears the current device list from memory.
# 1. Start the tool
sudo python3 whisper.py
# 2. Accept responsibility
Type: I ACCEPT RESPONSIBILITY
# 3. Start with a quick scan
Select option: 1
Select scan type: 1 (10-second scan)
# 4. Review discovered devices
Found X Fast Pair device(s)
View device details and vulnerability ratings
# 5. Target specific device for testing
Select option: 5
Choose device number
Confirm with: EXPLOIT
# 6. Review results and save reportsWHISPER automatically saves all results to organized directories:
whisper_results/scans/- Device scan results in JSON formatwhisper_results/exploits/- Exploitation attempt resultswhisper_results/audio/- Captured audio files (if applicable)
Each file is timestamped for easy tracking and includes detailed information about the operation performed.
# Check if Bluetooth is working
bluetoothctl
# In bluetoothctl:
list
scan on
# Wait for devices to appear, then:
scan off
exit- Only test devices you own - Never test devices without explicit permission
- Stay within legal boundaries - Understand and comply with local laws
- Use in controlled environments - Avoid testing in public spaces
- Document your work - Keep detailed records of all testing activities
- Report vulnerabilities responsibly - Follow responsible disclosure practices
- Respect privacy - Do not capture or store personal audio without consent
