BIPI
BIPI

Bluetooth and BLE Pentesting: GATT Enumeration, Sniffing, and Replay

Cybersecurity

BLE devices have invaded the corporate perimeter through badges, locks, sensors, and meeting room peripherals. This guide covers GATT enumeration with gatttool and bleak, passive sniffing with Sniffle and btlejack, and how to spot pairing flaws that turn a smart lock into a replay-friendly toy.

By Arjun Raghavan, Security & Systems Lead, BIPI · November 8, 2023 · 10 min read

#bluetooth#ble#gatt#iot#wireless

BLE attack surface is wider than people think

Every meeting room display, badge reader, and ergonomic mouse with a Bluetooth radio is a foothold candidate. BLE devices often ship with no pairing, weak pairing, or hard-coded keys, and the protocol assumes the link layer is trusted.

Recon: who is advertising what

  • hcitool lescan or bluetoothctl scan le for basic discovery.
  • btmon for raw HCI traces while you scan.
  • bettercap with the ble.recon module for richer device fingerprints.

GATT enumeration

Services and characteristics often disclose the device purpose and firmware version. Look for vendor-specific UUIDs that bypass the standard model, those are usually where logic flaws live.

Sniffing the air

  • Nordic nRF52840 dongle with Sniffle for clean BLE 5 capture.
  • Ubertooth One for legacy Bluetooth Classic.
  • btlejack to follow connections and inject packets where supported.

Pairing flaws to watch for

  • Just Works pairing on sensitive devices, no MITM protection.
  • Static passkeys printed in the manual, brute force friendly.
  • Legacy pairing fallback when LE Secure Connections is advertised but not enforced.

Replay tests on smart locks and badges

Many smart locks transmit an unlock command with no challenge response. Capture the GATT write, replay with bleak or a custom python script, and the lock opens. The remediation is rolling tokens, but adoption is uneven.

Bluetooth Classic still exists

  • Headsets and conference speakers often allow pairing without a PIN.
  • rfcomm and OBEX channels sometimes leak phonebooks or files.
  • Old Android tethering profiles can still be brute forced with redfang style approaches.

Real CVE pattern: BLE firmware update

A common bug class is unsigned OTA firmware update. Write a crafted image to the update characteristic and the device flashes attacker code. Always test the OTA path with a benign payload first to confirm signing.

Detection

  1. BLE-aware WIDS like AirEye for enterprise environments.
  2. Out-of-band attestation for badges, never trust the BLE channel alone.
  3. Procurement gates that require LE Secure Connections and signed OTA.

Remediation

  • Require Numeric Comparison or Passkey Entry pairing for any sensitive use case.
  • Roll session keys on every connection, never reuse static keys.
  • Disable Bluetooth on shared meeting room equipment when idle.
58%
BLE devices with Just Works
31%
Replay-vulnerable locks tested
22%
Unsigned OTA paths found
If the radio is silent ninety percent of the day, you can still own it in the other ten.

Read more field notes, explore our services, or get in touch at info@bipi.in. Privacy Policy · Terms.