BIPI
BIPI

Bluetooth and RF Hacking: A Practical SDR Toolkit for Physical Pentests

Cybersecurity

HackRF, RTL-SDR, and Flipper Zero give pentesters capabilities that used to require lab-grade equipment. A field guide to sniffing, replaying, and fuzzing wireless protocols during physical engagements.

By Arjun Raghavan, Security & Systems Lead, BIPI · June 4, 2025 · 10 min read

#bluetooth#rf-hacking#sdr#physical-pentest#wireless

Every physical pentest has a wireless component that most teams undertest. The door badge is 125 kHz EM4100. The conference-room AV system pairs over BLE. The factory floor sensor reports over 433 MHz. None of these are on the network diagram.

Hardware Toolkit

  • RTL-SDR v4: passive receive from 500 kHz to 1.75 GHz, ~$30. Start here.
  • HackRF One: transmit and receive 1 MHz–6 GHz, half-duplex, ~$300. Replay attacks and jamming tests.
  • Ubertooth One: dedicated Bluetooth Classic sniffer at 2.4 GHz, $130. Captures pairing and traffic.
  • Flipper Zero: sub-GHz transmit/receive, NFC, iButton, IR blaster, BadUSB. Field tool for quick assessments.
  • YARD Stick One: sub-GHz transceiver with CC1111, ideal for 433/868/915 MHz IoT protocols.

Passive Recon with RTL-SDR

Plug in the RTL-SDR and run GQRX or SDR#. Sweep the ISM bands: 433.92 MHz (EU garage doors, weather stations), 868 MHz (Z-Wave, LoRa EU), 915 MHz (LoRa US, TPMS), 2.4 GHz (BLE, Zigbee, WiFi). Record IQ data with rtl_sdr -f 433920000 -s 2048000 capture.iq. Replay with HackRF: hackrf_transfer -t capture.iq -f 433920000 -s 2048000 -x 40.

Bluetooth Low Energy Attacks

BLE advertising packets are broadcast unencrypted. Use bettercap ble.recon on to enumerate nearby devices, read GATT characteristics, and observe advertisement data. Devices with GATT characteristics that allow unauthenticated write are common in consumer IoT. Lock firmware, smart bulbs, and fitness trackers have all shipped with writeable control characteristics that require no bonding.

Bluetooth Classic Sniffing with Ubertooth

Ubertooth follows the 79-channel hopping sequence once it captures a master clock offset and access code during pairing. Run ubertooth-btle -f -c capture.pcap to capture advertising channels. For Bluetooth Classic, ubertooth-follow requires catching the page scan. Wireshark dissects both protocols natively once the capture is loaded.

Fuzzing Sub-GHz Protocols

Unknown binary protocols on 433 MHz are common in industrial environments. Record multiple transmissions of the same command. XOR adjacent captures to find fixed vs variable fields. The variable fields are usually rolling codes or sequence numbers. Fixed fields are the command payload. Replay the fixed portion with HackRF and observe actuator response.

The wireless attack surface of a building is almost never on the network diagram — yet it often provides the fastest path to physical access or credential theft.

Defensive Recommendations

  • BLE: require bonding with LE Secure Connections for any characteristic that controls state.
  • Sub-GHz remotes: use rolling codes (KeeLoq, AUT64) and validate sequence windows server-side.
  • RFID: migrate from EM4100 and MIFARE Classic to MIFARE DESFire EV3 or SEOS.
  • RF isolation: Faraday shielding for sensitive areas where badge readers must not be readable from outside.

Read more field notes, explore our services, or get in touch at info@bipi.in. Privacy Policy · Terms.