Awesome

Awesome Bluetooth Security (BR, EDR, LE, and Mesh)

This list links to useful references for anyone working with Bluetooth BR/EDR/LE or Mesh security.

Submit a PR if something is missing!

To Do

Add list of useful research papers and whitepapers
Add list of useful articles
Add list of useful books

Notable Vulnerabilities
Conference Talks
Bluetooth Security Tools
Primary Reference Materials
Useful Sites

<a name="notable_vulnerabilities"></a>Notable Vulnerabilities

Vulnerability name	Conference & Year published	Vulnerability website URL	Paper URL	Video URL	SIG Notice	Technology Impacted	Related CVE
BlueBorne	Black Hat Europe 2017	Site	Paper	Video	No Notice	BR/EDR	CVE-2017-8628, CVE-2017-0781, CVE-2017-0782, CVE-2017-0783, CVE-2017-0785, CVE-2017-14315, CVE-2017-1000250, CVE-2017-1000251, CVE-2017-14315, CVE-2017-1000410
Bleedingbit	2018	Site	Paper	Video	No Notice	LE	CVE-2018-7080, CVE-2018-16986
Fixed Coordinate Invalid Curve Attack	2018	Site	Paper	Video	SIG Notice	BR/EDR/LE	CVE-2018-5383
SweynTooth	2019	Site	Paper	Video	No Notice	LE	CVE-2019-16336, CVE-2019-17060, CVE-2019-17061, CVE-2019-17517, CVE-2019-17518, CVE-2019-17519, CVE-2019-17520, CVE-2019-19192, CVE-2019-19193, CVE-2019-19194, CVE-2019-19195, CVE-2019-19196, CVE-2020-10061, CVE-2020-10069, CVE-2020-13593, CVE-2020-13594, CVE-2020-13595
KNOB	USENIX 2019	Site	Paper	Video	SIG Notice	BR/EDR	CVE-2019-9506
BIAS	IEEE S&P 2020	Site	Paper	Video	SIG Notice	BR/EDR	CVE-2020-10135
Pairing Method Confusion	2020	Site	Paper	No Video	SIG Notice	BR/EDR/LE	CVE-2020-10134
BlueFrag	2020	Article	No Paper	No Video	No Notice	Android	CVE-2020-0022
Spectra	Black Hat USA 2020	Abstract	TBD	Video	No Notice	WiFi+BT modules	CVE-2019-15063, CVE-2020-10367, CVE-2020-10368, CVE-2020-10369, CVE-2020-10370
BLURtooth	2020	Site	Paper	Video	SIG Notice	BR/EDR+LE	CVE-2020-15802, CVE-2022-20361
BLESA	WOOT 2020	Site	Paper	Video	No Notice	LE	CVE-2020-9770
BleedingTooth	2020	Site	Writeup	Video	No Notice	Linux	CVE-2020-12351, CVE-2020-12352, CVE-2020-24490
BlueMirror	WOOT 2021	Site	Paper	Video	Multiple SIG Notices	BR/EDR/LE/Mesh	CVE-2020-26555, CVE-2020-26556, CVE-2020-26557, CVE-2020-26558, CVE-2020-26559, CVE-2020-26560
InjectaBLE	IEEE DSN 2021	Site	Paper	No Video	SIG Notice	LE	CVE-2021-31615
BrakTooth	2021	Site	Paper	Video	No Notice	BR/EDR	CVE-2021-28135, CVE-2021-28136, CVE-2021-28139, CVE-2021-28155, CVE-2021-31717, CVE-2021-31609, CVE-2021-31611, CVE-2021-31612, CVE-2021-31613, CVE-2021-31785, CVE-2021-31786, CVE-2021-31610, CVE-2021-34143, CVE-2021-34144, CVE-2021-34145, CVE-2021-34146, CVE-2021-34147, CVE-2021-34148, CVE-2021-34149, CVE-2021-34150
Pairing Mode Confusion	2022	No Site	No Paper	No Video	SIG Notice	LE	CVE-2022-25836
Pairing Mode Confusion	2022	No Site	No Paper	No Video	SIG Notice	BR/EDR	CVE-2022-25837
BLUFFS	2023	Site	Paper	No Video	SIG Notice	BR/EDR	CVE-2023-24023

<a name="conference_talks"></a>Conference Talks

2003

DEF CON 11 - Bruce Potter - Bluetooth - The Future of Wardriving Video

2004

21C3 - Marcel Holtmann, Martin Herfurt, Adam Laurie - Bluetooth Hacking Video
Black Hat USA 2004 - Adam Laurie, Martin Herfurt - BlueSnarfing The Risk From Digital Pickpockets Video

2005

22C3 - Marcel Holtmann, Martin Herfurt, Adam Laurie - Bluetooth Hacking - The State of The Art Video

2006

23C3 - Thierry Zoller, Kevin Finistere - Bluetooth Hacking Revisited Video
Black Hat USA 2006 - Bruce Potter - Bluetooth Defense Kit Black Hat Video

2007

DeepSec 2007 - Marcel Holtmann - New Security Model of Bluetooth 2.1 Video

2009

DEF CON 17 - Dominic Spill, Michael Ossmann, and Mark Steward - Bluetooth Smells like Chicken Video
Shmoocon 2009 - Bluetooth-Ossman.m4v Video

2010

Shmoocon 2010 - Michael Ossmann - Bluetooth Keyboards: Who Owns Your Keystrokes? Video
DEF CON 18: Breaking Bluetooth by Being Bored 1/3 Video

2011

ShmooCon 2011 - Project Ubertooth: Building a Better Bluetooth Adapter Video
DeepSec 2011 - Tommi Makila & Jukka Taimisto: Intelligent Bluetooth Fuzzing - Why bother? Video

2012

Ruxcon 2012 - Dominic Spill - Bluetooth Packet Sniffing Using Project Ubertooth Video
Toorcon 2012 - Hacking Bluetooth Low Energy: I Am Jack's Heart Monitor Video
DEF CON 20 - Passive Bluetooth Monitoring in Scapy Video

2013

USENIX WOOT 2013 - Mike Ryan - Bluetooth: With Low Energy Comes Low Security Video
ShmooCon 9 - How Smart Is Bluetooth Smart? Video
Black Hat USA 2013 - Bluetooth Smart: The Good, the Bad, the Ugly, and the Fix! Video
DeepSec 2013 - Veronica Valeros & Sebastian Garcia: Uncovering your Trails - Privacy Issues of Bluetooth Devices Video

2014

CanSecWest 2014 - Outsmarting Bluetooth Smart Video
DEF CON 22 - The NSA Playset Bluetooth Smart Attack Tools Video
DEF CON 22 - Grant Bugher - Detecting Bluetooth Surveillance Systems Video

2015

DEF CON 23 - Mike Ryan and Richo Healey - Hacking Electric Skateboards Video

2016

DEF CON 24 - Anthony Rose, Ben Ramsey - Picking Bluetooth Low Energy Locks a Quarter Mile Away Video
DEF CON 24 - Realtime Bluetooth Device Detection with Blue Hydra Video
DEF CON 24 Internet of Things Village Damien Cauquil Btlejuice The Bluetooth Smart Mitm Framework Video
Black Hat USA 2016 - Gattacking Bluetooth Smart Devices - Introducing a New BLE Proxy Tool Video
Hack.lu 2016 - Damiel Cauquil - BtleJuice: the Bluetooth Smart Man In The Middle Framework Video
EMF16 - Michael Ossmann - My Ubertooth Year Video

2017

Black Hat Europe 2017 - Ben Seri, Gregory Vishnepolsky - BlueBorne - A New Class of Airborne Attacks Video

2018

DEF CON 26 - Damien Cauquil - You had better secure your BLE devices Video
35C3 - Dennis Mantz and Jiska Classen - Dissecting Broadcom Bluetooth Video
MRMCD2018 - Dennis Mantz and Jiska Classen - A Deep Dive into Bluetooth Controller Firmware Video
Black Hat Europe 2018 - Ben Seri, Dor Zusman - BLEEDINGBIT Your APs Belong to Us Video

2019

DEF CON 27 - Damien Cauquil - Defeating Bluetooth Low Energy 5 PRNG for Fun and Jamming Video
USENIX Security '19 - Pallavi Sivakumaran - A Study of the Feasibility of Co-located App Attacks against BLE Video
RSA 2019 - Mike Ryan - Bluetooth Reverse Engineering: Tools and Techniques Video
Hardwear.io USA 2019 - Mike Ryan - Bluetooth Hacking: Tools And Techniques Video
Hardwear.io Netherlands 2019 - Sultan Qasim Khan - Sniffle: A low-cost sniffer for Bluetooth 5 Video
MRMCD2019 - Dennis Mantz and Jiska Classen - Playing with Bluetooth Video
BruCON 0x0B - Damien Cauquil - Defeating Bluetooth Low Energy 5 PRNG for fun and jamming Video
Hack.LU 2019 - Damien Cauquil - Defeating Bluetooth Low Energy 5 PRNG For Fun And Jamming Video
CyberCamp19 - Pablo González - Audit and hacking to Bluetooth Low-Energy (BLE) devices Video

2020

Hardwear.io Virtual Con 2020 - Daniele Antonioli - From Bluetooth Standard to Standard Compliant 0-days Video
DEF CON 28 - Jiska Classen and Francesco Gringoli - Spectra — New Wireless Escalation Targets Video
DEF CON 28 - Maxine Filcher - The Basics Of Breaking BLE v3 Video
USENIX WOOT 2020 - Jianliang Wu - BLESA: Spoofing Attacks against Reconnections in Bluetooth Low Energy Video
USENIX WOOT 2020 - Dennis Heinze, Jiska Classen, Matthias Hollick - ToothPicker: Apple Picking in the iOS Bluetooth Stack Video
USENIX 2020 - Yue Zhang - Breaking Secure Pairing of Bluetooth Low Energy Using Downgrade Attacks Video
Black Hat Europe 2020 - Wang Yu - Please Make a Dentist Appointment ASAP: Attacking IOBluetoothFamily HCI and Vendor-Specific Commands Video
Ekoparty 2020 - Cecilia Pastorino and Dan Borgogno - Bluetooth Low Energy Hacking 101 Video
rC3 2020 - Jiska Classen - Exposure Notification Security Video

2021

CCC #DiVOC2020 - Jiska Classen - Finding Eastereggs in Broadcom's Bluetooth Random Number Generator Video
CCC #DiVOC2020 - Jan Ruge - No PoC? No Fix! - A sad Story about Bluetooth Security Video
WOOT2021 - Tristan Claverie, José Lopes Esteves - BlueMirror: Reflections on Bluetooth Pairing and Provisioning Protocols Video
Hardwear.io NL 2021 - Tristan Claverie, José Lopes Esteves - BlueMirror: Defeating Authentication In Bluetooth Protocols Video

<a name="bluetooth_security_tools"></a>Bluetooth Security Tools

Linux Utilities & Tools

BlueZ (l2ping, gatttool, hciconfig, hcidump, hcitool, sdptool, bccmd, bluetoothctl, etc.) Link

Scanners & Sniffers

BTLEmap Github
Sniffle Github
Bettercap Github
sparrow-wifi Github
bluelog Github
btsniffer Github
Blue Hydra Github
btlesniffer Github
btscanner Link
BT Audit Link
redfang Gitlab
bleah (deprecated, replaced by Bettercap) Github

Exploit Tools

Btlejack Github
crackle Github
btcrack Github
BLE-Replay Github
BLESuite-CLI Github
BlueMaho Gitlab
BlueDiving Sourceforge
Blooover Link
l2ping (BlueSmack DoS) Link
hidattacl Link

OBEX Attack Tools

obexstress Download
bluesnarfer Gitlab
nOBEX Github

Fuzzing

Toothpicker Github
bss (unsupported) Github
Defensics (Commercial) Link

Firmware Analysis

InternalBlue Github
Frankenstein Github
Nexmon Github

Man-in-the-middle & Packet Injection

BtleJuice Github
Gattacker Github
BTLE (for SDRs) Github
(Unsupported) Btproxy Github

Device Spoofing

Spooftooph Gitlab
Bluefog Github

Ping & Signal Strength Tools

blue_sonar Github
BlueRanger Gitlab

Denial of Service

Blue Deauth Github

Honeypot

bluepot Github

Android Apps

nRF Connect for Mobile Google Play

Hardware

Nordic Semiconductor nRF-51 Development Kit Link
Sena UD-100 (~$39) Link
Ubertooth One (~$120) Link
Ellisys Bluetooth Tools Link
Frontline Bluetooth Tools Link

Other

Wireshark: Protocol analyzer and packet capture Link
Frontline Wireless Protocol Suite (Windows only) Link
Uberducky (BLE-triggered rubber ducky) Github
CarWhisperer: Bluetooth sniffer for in-vehicle connections Link
BLEBoy: BLE testing platform Github

<a name="primary_references"></a>Primary Reference Materials

Bluetooth Core Specifications Link

NIST Special Publication (SP) 800-121 revision 2 Link

<a name="useful_sites"></a>Useful Sites

List of Bluetooth bugs Link
Bluetooth arsenal tool list Github
trifinite Bluetooth info Link
Mike Ryan's Bluetooth info Link
Colin Mulliner's Bluetooth info Link
BlackArch Linux tool list Link
Bluetooth pen test framework Link