BLE Deep Dive

Bluetooth Low Energy (BLE) is the nervous system of the IoT world. It unlocks our doors, starts our cars, manages our insulin pumps, and tracks our location.

But for security researchers, BLE is often a black box. Most tutorials stop at "How to use nRF Connect" or "How to write a characteristic." They treat security as a checkbox: "Just enable encryption, and you're safe."

This series is different.

This is a Security Researcher’s Deep Dive. We are not here to build devices; we are here to break them. We will dismantle the BLE stack layer by layer—from the raw radio waves to the high-level application logic—to uncover where the vulnerabilities actually hide.


The Philosophy: "Full Stack" Exploitation

To hack a modern BLE device, you cannot be a specialist in just one layer.

  • If you focus only on Encryption (SMP), you will miss the Buffer Overflow in L2CAP.

  • If you focus only on the App Logic (GATT), you will miss the Connection Starvation in the Link Layer.

  • If you trust the Silicon, you will miss the Fault Injection attacks.

We will treat the entire stack as a single, interconnected attack surface.


The Roadmap: Your Attack Vector

This series is broken down into the 6 distinct layers of Bluetooth Low Energy. Here is what you will learn in each chapter:

+---------------------------------------+
|          APPLICATION LAYER            |  <- Your Business Logic & UIs
+---------------------------------------+
                 ^   |
+---------------------------------------+
|            GATT / ATT                 |  <- Data Model & Read/Write Ops
+---------------------------------------+
                 ^   |
+---------------------------------------+
|         SMP (Security Manager)        |  <- Pairing, Encryption, Keys
+---------------------------------------+
                 ^   |
+---------------------------------------+
|       L2CAP (Logical Link Control)    |  <- Multiplexing & Segmentation
+---------------------------------------+
                 ^   |
+---------------------------------------+
|           LINK LAYER (LL)             |  <- State Machine, Hopping, Timing
+---------------------------------------+
                 ^   |
+---------------------------------------+
|           PHY LAYER (Radio)           |  <- Modulation, Frequencies, Power
+---------------------------------------+

1. The PHY Layer: The Radio Frontier

  • The Muscle: Where bits become radio waves.

  • The Attacks: Jamming, Sniffing, and Spectrum Analysis.

  • Key Insight: "If you are in range, you are connected."

2. The Link Layer: The Controller Logic

  • The Brain: Managing states, timing, and hopping.

  • The Attacks: Connection Starvation, Channel Map Steering, and Controller DoS (Sweyntooth).

  • Key Insight: "Complexity is the enemy of security."

3. L2CAP: The Buffer Zone

  • The Multiplexer: Fragmentation and Reassembly.

  • The Attacks: Heap Overflows (BlueBorne), MTU Fuzzing, and Memory Exhaustion.

  • Key Insight: "Trusting length fields is a fatal mistake."

4. SMP: The Gatekeeper

  • The Key Exchange: Pairing, Bonding, and Encryption.

  • The Attacks: MITM, Legacy Pairing Cracking, Just Works Spoofing, and Key Downgrades.

  • Key Insight: "Encryption is useless if the handshake is compromised."

5. GATT & ATT: The API Surface

  • The Data Model: Services, Characteristics, and Permissions.

  • The Attacks: Hidden Handles, Race Conditions, and Permission Bypasses.

  • Key Insight: "Permissions are code, not magic."

6. The Application Layer: The Human Error

  • The Business Logic: OTA, Unlocks, and Cloud Bridges.

  • The Attacks: Replay Attacks, Logic Flaws, Hardcoded Secrets, and Relay Attacks.

  • Key Insight: "Paired ≠ Trusted."


The Toolkit: What You Need

You can read these blogs for theory, but to follow the Security Checks, you will need:

  1. Hardware:

    • Ubertooth One or nRF52840 Dongle (Sniffing).

    • ESP32 or Linux Laptop (Active Attacks).

  2. Software:

    • Wireshark (Analysis).

    • Bettercap / GATTacker (MITM).

    • Scapy / Mirage (Packet Crafting & Fuzzing).

    • InternalBlue (For Link Layer hacking).


Ready?

Security is not a state; it is a process. The deeper you go into the stack, the more cracks you find in the foundation.

Start your dive here: The PHY Layer

Last updated