Awesome Bluetooth Security (BR, EDR, LE, and Mesh)

This list links to useful references for anyone working with Bluetooth BR/EDR/LE or Mesh security.

Submit a PR if something is missing!

To Do

• Add list of useful research papers and whitepapers
• Add list of useful articles
• Add list of useful books

Contents

• Notable Vulnerabilities
• Conference Talks
• Bluetooth Security Tools
• Primary Reference Materials
• Useful Sites

Notable Vulnerabilities

Conference Talks

2003

• DEF CON 11 – Bruce Potter – Bluetooth – The Future of Wardriving Video

2004

• 21C3 – Marcel Holtmann, Martin Herfurt, Adam Laurie – Bluetooth Hacking Video
• Black Hat USA 2004 – Adam Laurie, Martin Herfurt – BlueSnarfing The Risk From Digital Pickpockets Video

2005

• 22C3 – Marcel Holtmann, Martin Herfurt, Adam Laurie – Bluetooth Hacking – The State of The Art Video

2006

• 23C3 – Thierry Zoller, Kevin Finistere – Bluetooth Hacking Revisited Video
• Black Hat USA 2006 – Bruce Potter – Bluetooth Defense Kit Black Hat Video

2007

• DeepSec 2007 – Marcel Holtmann – New Security Model of Bluetooth 2.1 Video

2009

• DEF CON 17 – Dominic Spill, Michael Ossmann, and Mark Steward – Bluetooth Smells like Chicken Video
• Shmoocon 2009 – Bluetooth-Ossman.m4v Video

2010

• Shmoocon 2010 – Michael Ossmann – Bluetooth Keyboards: Who Owns Your Keystrokes? Video
• DEF CON 18: Breaking Bluetooth by Being Bored 1/3 Video

2011

• ShmooCon 2011 – Project Ubertooth: Building a Better Bluetooth Adapter Video
• DeepSec 2011 – Tommi Makila & Jukka Taimisto: Intelligent Bluetooth Fuzzing – Why bother? Video

2012

• Ruxcon 2012 – Dominic Spill – Bluetooth Packet Sniffing Using Project Ubertooth Video
• Toorcon 2012 – Hacking Bluetooth Low Energy: I Am Jack’s Heart Monitor Video
• DEF CON 20 – Passive Bluetooth Monitoring in Scapy Video

2013

• USENIX WOOT 2013 – Mike Ryan – Bluetooth: With Low Energy Comes Low Security Video
• ShmooCon 9 – How Smart Is Bluetooth Smart? Video
• Black Hat USA 2013 – Bluetooth Smart: The Good, the Bad, the Ugly, and the Fix! Video
• DeepSec 2013 – Veronica Valeros & Sebastian Garcia: Uncovering your Trails – Privacy Issues of Bluetooth Devices Video

2014

• CanSecWest 2014 – Outsmarting Bluetooth Smart Video
• DEF CON 22 – The NSA Playset Bluetooth Smart Attack Tools Video
• DEF CON 22 – Grant Bugher – Detecting Bluetooth Surveillance Systems Video

2015

• DEF CON 23 – Mike Ryan and Richo Healey – Hacking Electric Skateboards Video

2016

• DEF CON 24 – Anthony Rose, Ben Ramsey – Picking Bluetooth Low Energy Locks a Quarter Mile Away Video
• DEF CON 24 – Realtime Bluetooth Device Detection with Blue Hydra Video
• DEF CON 24 Internet of Things Village Damien Cauquil Btlejuice The Bluetooth Smart Mitm Framework Video
• Black Hat USA 2016 – Gattacking Bluetooth Smart Devices – Introducing a New BLE Proxy Tool Video
• Hack.lu 2016 – Damiel Cauquil – BtleJuice: the Bluetooth Smart Man In The Middle Framework Video
• EMF16 – Michael Ossmann – My Ubertooth Year Video

2017

• Black Hat Europe 2017 – Ben Seri, Gregory Vishnepolsky – BlueBorne – A New Class of Airborne Attacks Video

2018

• DEF CON 26 – Damien Cauquil – You had better secure your BLE devices Video
• 35C3 – Dennis Mantz and Jiska Classen – Dissecting Broadcom Bluetooth Video
• MRMCD2018 – Dennis Mantz and Jiska Classen – A Deep Dive into Bluetooth Controller Firmware Video
• Black Hat Europe 2018 – Ben Seri, Dor Zusman – BLEEDINGBIT Your APs Belong to Us Video

2019

• DEF CON 27 – Damien Cauquil – Defeating Bluetooth Low Energy 5 PRNG for Fun and Jamming Video
• USENIX Security ’19 – Pallavi Sivakumaran – A Study of the Feasibility of Co-located App Attacks against BLE Video
• RSA 2019 – Mike Ryan – Bluetooth Reverse Engineering: Tools and Techniques Video
• Hardwear.io USA 2019 – Mike Ryan – Bluetooth Hacking: Tools And Techniques Video
• Hardwear.io Netherlands 2019 – Sultan Qasim Khan – Sniffle: A low-cost sniffer for Bluetooth 5 Video
• MRMCD2019 – Dennis Mantz and Jiska Classen – Playing with Bluetooth Video
• BruCON 0x0B – Damien Cauquil – Defeating Bluetooth Low Energy 5 PRNG for fun and jamming Video
• Hack.LU 2019 – Damien Cauquil – Defeating Bluetooth Low Energy 5 PRNG For Fun And Jamming Video
• CyberCamp19 – Pablo González – Audit and hacking to Bluetooth Low-Energy (BLE) devices Video

2020

• Hardwear.io Virtual Con 2020 – Daniele Antonioli – From Bluetooth Standard to Standard Compliant 0-days Video
• DEF CON 28 – Jiska Classen and Francesco Gringoli – Spectra — New Wireless Escalation Targets Video
• DEF CON 28 – Maxine Filcher – The Basics Of Breaking BLE v3 Video
• USENIX WOOT 2020 – Jianliang Wu – BLESA: Spoofing Attacks against Reconnections in Bluetooth Low Energy Video
• USENIX WOOT 2020 – Dennis Heinze, Jiska Classen, Matthias Hollick – ToothPicker: Apple Picking in the iOS Bluetooth Stack Video
• USENIX 2020 – Yue Zhang – Breaking Secure Pairing of Bluetooth Low Energy Using Downgrade Attacks Video
• Black Hat Europe 2020 – Wang Yu – Please Make a Dentist Appointment ASAP: Attacking IOBluetoothFamily HCI and Vendor-Specific Commands Video
• Ekoparty 2020 – Cecilia Pastorino and Dan Borgogno – Bluetooth Low Energy Hacking 101 Video
• rC3 2020 – Jiska Classen – Exposure Notification Security Video

2021

• CCC #DiVOC2020 – Jiska Classen – Finding Eastereggs in Broadcom’s Bluetooth Random Number Generator Video
• CCC #DiVOC2020 – Jan Ruge – No PoC? No Fix! – A sad Story about Bluetooth Security Video
• WOOT2021 – Tristan Claverie, José Lopes Esteves – BlueMirror: Reflections on Bluetooth Pairing and Provisioning Protocols Video
• Hardwear.io NL 2021 – Tristan Claverie, José Lopes Esteves – BlueMirror: Defeating Authentication In Bluetooth Protocols Video

Bluetooth Security Tools

Linux Utilities & Tools

• BlueZ (l2ping, gatttool, hciconfig, hcidump, hcitool, sdptool, bccmd, bluetoothctl, etc.) Link

Scanners & Sniffers

• BTLEmap Github
• Sniffle Github
• Bettercap Github
• sparrow-wifi Github
• bluelog Github
• btsniffer Github
• Blue Hydra Github
• btlesniffer Github
• btscanner Link
• BT Audit Link
• redfang Gitlab
• bleah (deprecated, replaced by Bettercap) Github

Exploit Tools

• Btlejack Github
• crackle Github
• btcrack Github
• BLE-Replay Github
• BLESuite-CLI Github
• BlueMaho Gitlab
• BlueDiving Sourceforge
• Blooover Link
• l2ping (BlueSmack DoS) Link
• hidattacl Link

OBEX Attack Tools

• obexstress Download
• bluesnarfer Gitlab
• nOBEX Github

Fuzzing

• Toothpicker Github
• bss (unsupported) Github
• Defensics (Commercial) Link

Firmware Analysis

• InternalBlue Github
• Frankenstein Github
• Nexmon Github

Man-in-the-middle & Packet Injection

• BtleJuice Github
• Gattacker Github
• BTLE (for SDRs) Github
• (Unsupported) Btproxy Github

Device Spoofing

• Spooftooph Gitlab
• Bluefog Github

Ping & Signal Strength Tools

• blue_sonar Github
• BlueRanger Gitlab

Denial of Service

• Blue Deauth Github

Honeypot

• bluepot Github

Android Apps

• nRF Connect for Mobile Google Play

Hardware

• Nordic Semiconductor nRF-51 Development Kit Link
• Sena UD-100 (~$39) Link
• Ubertooth One (~$120) Link
• Ellisys Bluetooth Tools Link
• Frontline Bluetooth Tools Link

Other

• Wireshark: Protocol analyzer and packet capture Link
• Frontline Wireless Protocol Suite (Windows only) Link
• Uberducky (BLE-triggered rubber ducky) Github
• CarWhisperer: Bluetooth sniffer for in-vehicle connections Link
• BLEBoy: BLE testing platform Github

Primary Reference Materials

Bluetooth Core Specifications Link

NIST Special Publication (SP) 800-121 revision 2 Link

Useful Sites

• List of Bluetooth bugs Link
• Bluetooth arsenal tool list Github
• trifinite Bluetooth info Link
• Mike Ryan’s Bluetooth info Link
• Colin Mulliner’s Bluetooth info Link
• BlackArch Linux tool list Link
• Bluetooth pen test framework Link