Bluetooth Security

Notable Vulnerabilities

Conference Talks

2003

• DEF CON 11 - Bruce Potter - Bluetooth - The Future of Wardriving Video

2004

• 21C3 - Marcel Holtmann, Martin Herfurt, Adam Laurie - Bluetooth Hacking Video

• Black Hat USA 2004 - Adam Laurie, Martin Herfurt - BlueSnarfing The Risk From Digital Pickpockets Video

2005

• 22C3 - Marcel Holtmann, Martin Herfurt, Adam Laurie - Bluetooth Hacking - The State of The Art Video

2006

• 23C3 - Thierry Zoller, Kevin Finistere - Bluetooth Hacking Revisited Video

• Black Hat USA 2006 - Bruce Potter - Bluetooth Defense Kit Black Hat Video

2007

• DeepSec 2007 - Marcel Holtmann - New Security Model of Bluetooth 2.1 Video

2009

• DEF CON 17 - Dominic Spill, Michael Ossmann, and Mark Steward - Bluetooth Smells like Chicken Video

• Shmoocon 2009 - Bluetooth-Ossman.m4v Video

2010

• Shmoocon 2010 - Michael Ossmann - Bluetooth Keyboards: Who Owns Your Keystrokes? Video

• DEF CON 18: Breaking Bluetooth by Being Bored 1/3 Video

2011

• ShmooCon 2011 - Project Ubertooth: Building a Better Bluetooth Adapter Video

• DeepSec 2011 - Tommi Makila & Jukka Taimisto: Intelligent Bluetooth Fuzzing - Why bother? Video

2012

• Ruxcon 2012 - Dominic Spill - Bluetooth Packet Sniffing Using Project Ubertooth Video

• Toorcon 2012 - Hacking Bluetooth Low Energy: I Am Jack's Heart Monitor Video

• DEF CON 20 - Passive Bluetooth Monitoring in Scapy Video

2013

• USENIX WOOT 2013 - Mike Ryan - Bluetooth: With Low Energy Comes Low Security Video

• ShmooCon 9 - How Smart Is Bluetooth Smart? Video

• Black Hat USA 2013 - Bluetooth Smart: The Good, the Bad, the Ugly, and the Fix! Video

• DeepSec 2013 - Veronica Valeros & Sebastian Garcia: Uncovering your Trails - Privacy Issues of Bluetooth Devices Video

2014

• CanSecWest 2014 - Outsmarting Bluetooth Smart Video

• DEF CON 22 - The NSA Playset Bluetooth Smart Attack Tools Video

• DEF CON 22 - Grant Bugher - Detecting Bluetooth Surveillance Systems Video

2015

• DEF CON 23 - Mike Ryan and Richo Healey - Hacking Electric Skateboards Video

2016

• DEF CON 24 - Anthony Rose, Ben Ramsey - Picking Bluetooth Low Energy Locks a Quarter Mile Away Video

• DEF CON 24 - Realtime Bluetooth Device Detection with Blue Hydra Video

• DEF CON 24 Internet of Things Village Damien Cauquil Btlejuice The Bluetooth Smart Mitm Framework Video

• Black Hat USA 2016 - Gattacking Bluetooth Smart Devices - Introducing a New BLE Proxy Tool Video

• Hack.lu 2016 - Damiel Cauquil - BtleJuice: the Bluetooth Smart Man In The Middle Framework Video

• EMF16 - Michael Ossmann - My Ubertooth Year Video

2017

• Black Hat Europe 2017 - Ben Seri, Gregory Vishnepolsky - BlueBorne - A New Class of Airborne Attacks Video

2018

• DEF CON 26 - Damien Cauquil - You had better secure your BLE devices Video

• 35C3 - Dennis Mantz and Jiska Classen - Dissecting Broadcom Bluetooth Video

• MRMCD2018 - Dennis Mantz and Jiska Classen - A Deep Dive into Bluetooth Controller Firmware Video

• Black Hat Europe 2018 - Ben Seri, Dor Zusman - BLEEDINGBIT Your APs Belong to Us Video

2019

• DEF CON 27 - Damien Cauquil - Defeating Bluetooth Low Energy 5 PRNG for Fun and Jamming Video

• USENIX Security '19 - Pallavi Sivakumaran - A Study of the Feasibility of Co-located App Attacks against BLE Video

• RSA 2019 - Mike Ryan - Bluetooth Reverse Engineering: Tools and Techniques Video

• Hardwear.io USA 2019 - Mike Ryan - Bluetooth Hacking: Tools And Techniques Video

• Hardwear.io Netherlands 2019 - Sultan Qasim Khan - Sniffle: A low-cost sniffer for Bluetooth 5 Video

• MRMCD2019 - Dennis Mantz and Jiska Classen - Playing with Bluetooth Video

• BruCON 0x0B - Damien Cauquil - Defeating Bluetooth Low Energy 5 PRNG for fun and jamming Video

• Hack.LU 2019 - Damien Cauquil - Defeating Bluetooth Low Energy 5 PRNG For Fun And Jamming Video

• CyberCamp19 - Pablo González - Audit and hacking to Bluetooth Low-Energy (BLE) devices Video

2020

• Hardwear.io Virtual Con 2020 - Daniele Antonioli - From Bluetooth Standard to Standard Compliant 0-days Video

• DEF CON 28 - Jiska Classen and Francesco Gringoli - Spectra — New Wireless Escalation Targets Video

• DEF CON 28 - Maxine Filcher - The Basics Of Breaking BLE v3 Video

• USENIX WOOT 2020 - Jianliang Wu - BLESA: Spoofing Attacks against Reconnections in Bluetooth Low Energy Video

• USENIX WOOT 2020 - Dennis Heinze, Jiska Classen, Matthias Hollick - ToothPicker: Apple Picking in the iOS Bluetooth Stack Video

• USENIX 2020 - Yue Zhang - Breaking Secure Pairing of Bluetooth Low Energy Using Downgrade Attacks Video

• Black Hat Europe 2020 - Wang Yu - Please Make a Dentist Appointment ASAP: Attacking IOBluetoothFamily HCI and Vendor-Specific Commands Video

• Ekoparty 2020 - Cecilia Pastorino and Dan Borgogno - Bluetooth Low Energy Hacking 101 Video

• rC3 2020 - Jiska Classen - Exposure Notification Security Video

2021

• CCC #DiVOC2020 - Jiska Classen - Finding Eastereggs in Broadcom's Bluetooth Random Number Generator Video

• CCC #DiVOC2020 - Jan Ruge - No PoC? No Fix! - A sad Story about Bluetooth Security Video

• WOOT2021 - Tristan Claverie, José Lopes Esteves - BlueMirror: Reflections on Bluetooth Pairing and Provisioning Protocols Video

• Hardwear.io NL 2021 - Tristan Claverie, José Lopes Esteves - BlueMirror: Defeating Authentication In Bluetooth Protocols Video

Bluetooth Security Tools

Linux Utilities & Tools

• BlueZ (l2ping, gatttool, hciconfig, hcidump, hcitool, sdptool, bccmd, bluetoothctl, etc.) Link

Scanners & Sniffers

• BTLEmap Github

• Sniffle Github

• Bettercap Github

• sparrow-wifi Github

• bluelog Github

• btsniffer Github

• Blue Hydra Github

• btlesniffer Github

• btscanner Link

• BT Audit Link

• redfang Gitlab

• bleah (deprecated, replaced by Bettercap) Github

Exploit Tools

• Btlejack Github

• crackle Github

• btcrack Github

• BLE-Replay Github

• BLESuite-CLI Github

• BlueMaho Gitlab

• BlueDiving Sourceforge

• Blooover Link

• l2ping (BlueSmack DoS) Link

• hidattacl Link

OBEX Attack Tools

• obexstress Download

• bluesnarfer Gitlab

• nOBEX Github

Fuzzing

• Toothpicker Github

• bss (unsupported) Github

• Defensics (Commercial) Link

Firmware Analysis

• InternalBlue Github

• Frankenstein Github

• Nexmon Github

Man-in-the-middle & Packet Injection

• BtleJuice Github

• Gattacker Github

• BTLE (for SDRs) Github

• (Unsupported) Btproxy Github

Device Spoofing

• Spooftooph Gitlab

• Bluefog Github

Ping & Signal Strength Tools

• blue_sonar Github

• BlueRanger Gitlab

Denial of Service

• Blue Deauth Github

Honeypot

• bluepot Github

Android Apps

• nRF Connect for Mobile Google Play

Hardware

• Nordic Semiconductor nRF-51 Development Kit Link

• Sena UD-100 (~$39) Link

• Ubertooth One (~$120) Link

• Ellisys Bluetooth Tools Link

• Frontline Bluetooth Tools Link

Other

• Wireshark: Protocol analyzer and packet capture Link

• Frontline Wireless Protocol Suite (Windows only) Link

• Uberducky (BLE-triggered rubber ducky) Github

• CarWhisperer: Bluetooth sniffer for in-vehicle connections Link

• BLEBoy: BLE testing platform Github

Primary Reference Materials

Bluetooth Core Specifications Link

NIST Special Publication (SP) 800-121 revision 2 Link

Useful Sites

• List of Bluetooth bugs Link

• Bluetooth arsenal tool list Github

• trifinite Bluetooth info Link

• Mike Ryan's Bluetooth info Link

• Colin Mulliner's Bluetooth info Link

• BlackArch Linux tool list Link

• Bluetooth pen test framework Link