PHY Layer

1 Byte     4 Bytes        2 - 257 Bytes       3 Bytes
+--------+--------------+-------------------+------------+
|        |              |                   |            |
| PREAM- |    ACCESS    |        PDU        |    CRC     |
|  BLE   |    ADDRESS   |     (PAYLOAD)     |            |
|        |              |                   |            |
+--------+--------------+-------------------+------------+
   ^            ^                 ^                ^
   |            |                 |                |
 Sync       Connection ID     Upper Layers     Integrity

Context: The Physical (PHY) layer is the "Wild West" of Bluetooth Low Energy. It is the lowest layer of the stack, responsible for modulating bits into electromagnetic waves. We care about this layer because it is the physical boundary of the attack surface. If an attacker is within RF range, they are effectively "connected" to your device's interface.

Unlike higher layers where logic bugs live, the PHY layer is about signal visibility, interception, and disruption. This guide breaks down the PHY layer mechanics and how to audit them.


1. Spectrum & Modulation: The Signal Signature

BLE operates in the 2.4 GHz ISM band (2402–2480 MHz), sharing airspace with Wi-Fi and Zigbee. It uses Gaussian Frequency Shift Keying (GFSK).

  • Logical 1 / 0: Represented by positive/negative frequency deviations from the carrier.

  • Gaussian Filter: Smooths the pulses to reduce spectral width (interference).

Security Perspective

Since GFSK is a standard, non-proprietary modulation, no specialized military hardware is needed to decode it. Any standard Software Defined Radio (SDR) or $10 generic BLE dongle can demodulate these signals. There is no encryption at the modulation level; it is purely raw signal processing.

🛡️ Security Checks & Testing

  • Spectrum Analysis: Use a HackRF or Spectrum Analyzer to visualize the device's RF footprint. Does it transmit continuously or in bursts?

  • Signal Capture: Use Universal Radio Hacker (URH) or GNU Radio.

    • Test: Capture raw IQ samples of the device advertising.

    • Goal: Manually demodulate the GFSK signal in software to verify that no non-standard obscuration is being used (security through obscurity).


2. Channelization & The "Advertising" Vulnerability

BLE divides the 2.4 GHz band into 40 channels (spaced 2 MHz apart).

  • Advertising Channels (37, 38, 39): Used for device discovery and connection initiation.

  • Data Channels (0-36): Used for data transfer after connection.

Security Perspective

The "Advertising Channels" are the Achilles' heel of BLE privacy. To be found, a device must shout its presence on these known frequencies. This makes passive discovery trivial. An attacker does not need to guess where a device is listening; they just sit on channel 37 and wait.

🛡️ Security Checks & Testing

  • Discovery Scan: Use hcitool lescan or bettercap.

    • Test: Can you identify the device type, manufacturer, or firmware version purely from advertising data?

  • Active Scanning:

    • Test: Send a SCAN_REQ packet. Does the device respond with a SCAN_RSP containing more sensitive data (e.g., full device name, UUIDs)?

  • Jamming Susceptibility:

    • Test: Use an SDR to generate noise specifically on channels 37, 38, and 39.

    • Goal: Verify if the device fails open, resets, or simply becomes unreachable (DoS).


3. Access Address & Packet Structure

Every BLE packet on the PHY layer follows this structure: [ Preamble | Access Address | PDU (Payload) | CRC ]

  • Access Address (AA): A unique 32-bit identifier.

    • Advertising AA: Fixed at 0x8E89BED6 (Standard for all devices).

    • Data AA: Randomly generated per connection.

Security Perspective

The Access Address is the "key" to following a specific connection. If an attacker captures the CONNECT_REQ packet on an advertising channel, they capture the Data Access Address and the Hop Increment (hopping pattern). With these two values, they can follow the devices onto the data channels and sniff the entire session.

🛡️ Security Checks & Testing

  • Connection Sniffing: Use Wireshark with nRF Sniffer (nRF52840 dongle) or Ubertooth One.

    • Test: Initiate a connection between a central (phone) and peripheral (device).

    • Goal: Can you capture the CONNECT_REQ? If yes, can you see the subsequent data packets?

  • AA Randomness:

    • Test: Connect and disconnect 50 times.

    • Goal: Ensure the Data Access Address is sufficiently random and not hardcoded or predictable.


4. Adaptive Frequency Hopping (AFH)

Once connected, devices hop between the 37 data channels to avoid interference (e.g., a busy Wi-Fi channel).

Security Perspective

Many developers mistakenly believe AFH provides security ("The attacker won't know which frequency we are on!"). This is false. The hopping sequence is mathematically determined by the parameters exchanged during the unencrypted connection handshake. Tools like btlejack can calculate the next channel and follow the hop instantly.

🛡️ Security Checks & Testing

  • Connection Hijacking: Use btlejack.

    • Test: Attempt to "jam and hijack" an existing connection. btlejack jams the master, desynchronizes it, and takes its place, communicating with the slave.

    • Goal: Verify if the device accepts commands from the hijacker (implies lack of application-layer encryption/auth).


5. PHY Variants: Range as an Attack Vector

  • 1M PHY: Standard (approx 10-30m range).

  • 2M PHY: Faster, shorter range.

  • Coded PHY (Long Range): Uses Forward Error Correction (FEC) to hear signals from hundreds of meters away.

Security Perspective

Physical Range = Attack Surface. If a device enables Coded PHY (Long Range), an attacker with a directional Yagi antenna might be able to interact with or sniff the device from a kilometer away (e.g., from a parking lot or adjacent building).

🛡️ Security Checks & Testing

  • Range Audit:

    • Test: Does the device need Coded PHY? If it's a smart lock meant to work only when the user is at the door, Coded PHY is a vulnerability.

  • Tx Power Analysis:

    • Test: Check the Transmit Power. Is it set to +10dBm (max) unnecessarily? Lowering Tx power reduces the sniffing radius.

Last updated