Bluetooth Low Energy (BLE) Attacks

BLE devices communicate via GATT — a hierarchy of services, characteristics, and descriptors. Many devices treat the BLE link itself as the trust boundary, exposing privileged operations on characteristics readable/writable from any nearby device.

Quick Workflow

1. Discover and enumerate the device's GATT tree
2. Test every characteristic for read/write/notify without authentication
3. Inspect pairing method — Just Works = no MITM protection
4. If Just Works, MITM the pairing to capture / inject
5. Reverse the companion app for proprietary command formats

Discovery + GATT Enumeration

# bettercap (interactive)
sudo bettercap -eval "ble.recon on; events.show 60; ble.show"