Bluetooth LE Attacks: Pairing, GATT, and the Devices That Get Owned

Cybersecurity

BLE is everywhere: car keys, fitness trackers, insulin pumps. Pairing is the security boundary, and Just Works pairing offers no boundary at all. Here is how we test it.

By Arjun Raghavan, Security & Systems Lead, BIPI · March 3, 2025 · 8 min read

BLE pentesting tends to surprise vendors who assumed proximity was a security control. With a $150 sniffer and an hour, an attacker in a parking lot has the same access as the user. The attack surface is the pairing method, the GATT services, and the firmware update channel.

Methodology

Start with passive sniffing using Ubertooth One, Sniffle on a Nordic dongle, or a Sonoff CC2540 with TI's PacketSniffer. Capture a pairing exchange. Identify the pairing method: Just Works (no MITM protection), Passkey Entry (six-digit, brute-forceable in seconds offline), Numeric Comparison (LE Secure Connections, MITM-resistant), or Out of Band (strongest, rare in consumer).

• hcitool lescan and bluetoothctl: discover advertising devices and read their service UUIDs.
• gatttool -I -b AA:BB:CC:DD:EE:FF: enumerate primary services, characteristics, and descriptors.
• bleah or bettercap's ble.recon: scripted GATT enumeration and value reads.
• btlejack -f 0xAABBCCDD: jam and hijack an active connection on a Micro:bit.
• crackle: crack legacy LE pairing keys when you have captured the pairing exchange.

GATT enumeration is the unauthenticated attack surface

Many BLE devices expose characteristics without read or write authentication, even when bonded. We have read insulin pump dosing values, written firmware to a smart lock, and triggered diagnostics on car keys all without pairing. Always enumerate every characteristic and test read, write, write-without-response, and notify on each one as an unauthenticated peer.

Real targets we have tested

Car key fobs using BLE often replay the unlock command if the rolling code is poorly implemented or the challenge window is too generous. Fitness trackers leak step data and sometimes user PII over unauthenticated GATT reads. A 2024 medical device assessment found an insulin pump that accepted bolus commands from any paired device with no per-command authentication. The vendor patched the firmware update channel, which previously accepted unsigned blobs.

Detection

On the device side, instrument the BLE stack to log connection events, MAC addresses, and pairing attempts. Cloud-side, alert on unusual connection patterns: same device account paired from different BLE MACs in rapid succession, or commands issued outside expected user behavior windows. For corporate environments, BLE-aware WIDS can spot rogue advertisers in sensitive areas.

Remediation

1. Use LE Secure Connections with Numeric Comparison or Out of Band pairing. Never ship Just Works for anything safety- or money-relevant.
2. Require authenticated, encrypted GATT for every characteristic except a minimal advertising/identification set. Reject reads and writes from unbonded peers.
3. Implement per-command authentication for dangerous operations (insulin dose, lock open, firmware write). A signed nonce challenge prevents replay even if pairing is compromised.
4. Sign firmware images with a per-product key. Validate signature in the bootloader. Reject downgrades.
5. Add a physical confirmation (button press) to pairing for devices with a UI. Out-of-band pairing via QR code is acceptable.
6. Test the device against btlejack jamming and replay. Fail closed if the connection drops mid-command.
7. For corporate fleets, monitor BLE advertisements in sensitive zones with a WIDS that knows your authorized device list.

Read more field notes, explore our services, or get in touch at info@bipi.in. Privacy Policy · Terms.