This list links to useful references for anyone working with Bluetooth BR/EDR/LE or Mesh security.
Submit a PR if something is missing!
- Add list of useful research papers and whitepapers
- Add list of useful articles
- Add list of useful books
- Notable Vulnerabilities
- Conference Talks
- Bluetooth Security Tools
- Primary Reference Materials
- Useful Sites
| Vulnerability name | Conference & Year published | Vulnerability website URL | Paper URL | Video URL | SIG Notice | Technology Impacted | Related CVE |
|---|---|---|---|---|---|---|---|
| BlueBorne | Black Hat Europe 2017 | Site | Paper | Video | No Notice | BR/EDR | CVE-2017-8628, CVE-2017-0781, CVE-2017-0782, CVE-2017-0783, CVE-2017-0785, CVE-2017-14315, CVE-2017-1000250, CVE-2017-1000251, CVE-2017-14315, CVE-2017-1000410 |
| Bleedingbit | 2018 | Site | Paper | Video | No Notice | LE | CVE-2018-7080, CVE-2018-16986 |
| Fixed Coordinate Invalid Curve Attack | 2018 | Site | Paper | Video | SIG Notice | BR/EDR/LE | CVE-2018-5383 |
| SweynTooth | 2019 | Site | Paper | Video | No Notice | LE | CVE-2019-16336, CVE-2019-17060, CVE-2019-17061, CVE-2019-17517, CVE-2019-17518, CVE-2019-17519, CVE-2019-17520, CVE-2019-19192, CVE-2019-19193, CVE-2019-19194, CVE-2019-19195, CVE-2019-19196, CVE-2020-10061, CVE-2020-10069, CVE-2020-13593, CVE-2020-13594, CVE-2020-13595 |
| KNOB | USENIX 2019 | Site | Paper | Video | SIG Notice | BR/EDR | CVE-2019-9506 |
| BIAS | IEEE S&P 2020 | Site | Paper | Video | SIG Notice | BR/EDR | CVE-2020-10135 |
| Pairing Method Confusion | 2020 | Site | Paper | No Video | SIG Notice | BR/EDR/LE | CVE-2020-10134 |
| BlueFrag | 2020 | Article | No Paper | No Video | No Notice | Android | CVE-2020-0022 |
| Spectra | Black Hat USA 2020 | Abstract | TBD | Video | No Notice | WiFi+BT modules | CVE-2019-15063, CVE-2020-10367, CVE-2020-10368, CVE-2020-10369, CVE-2020-10370 |
| BLURtooth | 2020 | Site | Paper | Video | SIG Notice | BR/EDR+LE | CVE-2020-15802, CVE-2022-20361 |
| BLESA | WOOT 2020 | Site | Paper | Video | No Notice | LE | CVE-2020-9770 |
| BleedingTooth | 2020 | Site | Writeup | Video | No Notice | Linux | CVE-2020-12351, CVE-2020-12352, CVE-2020-24490 |
| BlueMirror | WOOT 2021 | Site | Paper | Video | Multiple SIG Notices | BR/EDR/LE/Mesh | CVE-2020-26555, CVE-2020-26556, CVE-2020-26557, CVE-2020-26558, CVE-2020-26559, CVE-2020-26560 |
| InjectaBLE | IEEE DSN 2021 | Site | Paper | No Video | SIG Notice | LE | CVE-2021-31615 |
| BrakTooth | 2021 | Site | Paper | Video | No Notice | BR/EDR | CVE-2021-28135, CVE-2021-28136, CVE-2021-28139, CVE-2021-28155, CVE-2021-31717, CVE-2021-31609, CVE-2021-31611, CVE-2021-31612, CVE-2021-31613, CVE-2021-31785, CVE-2021-31786, CVE-2021-31610, CVE-2021-34143, CVE-2021-34144, CVE-2021-34145, CVE-2021-34146, CVE-2021-34147, CVE-2021-34148, CVE-2021-34149, CVE-2021-34150 |
| Pairing Mode Confusion | 2022 | No Site | No Paper | No Video | SIG Notice | LE | CVE-2022-25836 |
| Pairing Mode Confusion | 2022 | No Site | No Paper | No Video | SIG Notice | BR/EDR | CVE-2022-25837 |
| BLUFFS | 2023 | Site | Paper | No Video | SIG Notice | BR/EDR | CVE-2023-24023 |
- DEF CON 11 - Bruce Potter - Bluetooth - The Future of Wardriving Video
- 21C3 - Marcel Holtmann, Martin Herfurt, Adam Laurie - Bluetooth Hacking Video
- Black Hat USA 2004 - Adam Laurie, Martin Herfurt - BlueSnarfing The Risk From Digital Pickpockets Video
- 22C3 - Marcel Holtmann, Martin Herfurt, Adam Laurie - Bluetooth Hacking - The State of The Art Video
- 23C3 - Thierry Zoller, Kevin Finistere - Bluetooth Hacking Revisited Video
- Black Hat USA 2006 - Bruce Potter - Bluetooth Defense Kit Black Hat Video
- DeepSec 2007 - Marcel Holtmann - New Security Model of Bluetooth 2.1 Video
- DEF CON 17 - Dominic Spill, Michael Ossmann, and Mark Steward - Bluetooth Smells like Chicken Video
- Shmoocon 2009 - Bluetooth-Ossman.m4v Video
- Shmoocon 2010 - Michael Ossmann - Bluetooth Keyboards: Who Owns Your Keystrokes? Video
- DEF CON 18: Breaking Bluetooth by Being Bored 1/3 Video
- ShmooCon 2011 - Project Ubertooth: Building a Better Bluetooth Adapter Video
- DeepSec 2011 - Tommi Makila & Jukka Taimisto: Intelligent Bluetooth Fuzzing - Why bother? Video
- Ruxcon 2012 - Dominic Spill - Bluetooth Packet Sniffing Using Project Ubertooth Video
- Toorcon 2012 - Hacking Bluetooth Low Energy: I Am Jack's Heart Monitor Video
- DEF CON 20 - Passive Bluetooth Monitoring in Scapy Video
- USENIX WOOT 2013 - Mike Ryan - Bluetooth: With Low Energy Comes Low Security Video
- ShmooCon 9 - How Smart Is Bluetooth Smart? Video
- Black Hat USA 2013 - Bluetooth Smart: The Good, the Bad, the Ugly, and the Fix! Video
- DeepSec 2013 - Veronica Valeros & Sebastian Garcia: Uncovering your Trails - Privacy Issues of Bluetooth Devices Video
- CanSecWest 2014 - Outsmarting Bluetooth Smart Video
- DEF CON 22 - The NSA Playset Bluetooth Smart Attack Tools Video
- DEF CON 22 - Grant Bugher - Detecting Bluetooth Surveillance Systems Video
- DEF CON 23 - Mike Ryan and Richo Healey - Hacking Electric Skateboards Video
- DEF CON 24 - Anthony Rose, Ben Ramsey - Picking Bluetooth Low Energy Locks a Quarter Mile Away Video
- DEF CON 24 - Realtime Bluetooth Device Detection with Blue Hydra Video
- DEF CON 24 Internet of Things Village Damien Cauquil Btlejuice The Bluetooth Smart Mitm Framework Video
- Black Hat USA 2016 - Gattacking Bluetooth Smart Devices - Introducing a New BLE Proxy Tool Video
- Hack.lu 2016 - Damiel Cauquil - BtleJuice: the Bluetooth Smart Man In The Middle Framework Video
- EMF16 - Michael Ossmann - My Ubertooth Year Video
- Black Hat Europe 2017 - Ben Seri, Gregory Vishnepolsky - BlueBorne - A New Class of Airborne Attacks Video
- DEF CON 26 - Damien Cauquil - You had better secure your BLE devices Video
- 35C3 - Dennis Mantz and Jiska Classen - Dissecting Broadcom Bluetooth Video
- MRMCD2018 - Dennis Mantz and Jiska Classen - A Deep Dive into Bluetooth Controller Firmware Video
- Black Hat Europe 2018 - Ben Seri, Dor Zusman - BLEEDINGBIT Your APs Belong to Us Video
- DEF CON 27 - Damien Cauquil - Defeating Bluetooth Low Energy 5 PRNG for Fun and Jamming Video
- USENIX Security '19 - Pallavi Sivakumaran - A Study of the Feasibility of Co-located App Attacks against BLE Video
- RSA 2019 - Mike Ryan - Bluetooth Reverse Engineering: Tools and Techniques Video
- Hardwear.io USA 2019 - Mike Ryan - Bluetooth Hacking: Tools And Techniques Video
- Hardwear.io Netherlands 2019 - Sultan Qasim Khan - Sniffle: A low-cost sniffer for Bluetooth 5 Video
- MRMCD2019 - Dennis Mantz and Jiska Classen - Playing with Bluetooth Video
- BruCON 0x0B - Damien Cauquil - Defeating Bluetooth Low Energy 5 PRNG for fun and jamming Video
- Hack.LU 2019 - Damien Cauquil - Defeating Bluetooth Low Energy 5 PRNG For Fun And Jamming Video
- CyberCamp19 - Pablo González - Audit and hacking to Bluetooth Low-Energy (BLE) devices Video
- Hardwear.io Virtual Con 2020 - Daniele Antonioli - From Bluetooth Standard to Standard Compliant 0-days Video
- DEF CON 28 - Jiska Classen and Francesco Gringoli - Spectra — New Wireless Escalation Targets Video
- DEF CON 28 - Maxine Filcher - The Basics Of Breaking BLE v3 Video
- USENIX WOOT 2020 - Jianliang Wu - BLESA: Spoofing Attacks against Reconnections in Bluetooth Low Energy Video
- USENIX WOOT 2020 - Dennis Heinze, Jiska Classen, Matthias Hollick - ToothPicker: Apple Picking in the iOS Bluetooth Stack Video
- USENIX 2020 - Yue Zhang - Breaking Secure Pairing of Bluetooth Low Energy Using Downgrade Attacks Video
- Black Hat Europe 2020 - Wang Yu - Please Make a Dentist Appointment ASAP: Attacking IOBluetoothFamily HCI and Vendor-Specific Commands Video
- Ekoparty 2020 - Cecilia Pastorino and Dan Borgogno - Bluetooth Low Energy Hacking 101 Video
- rC3 2020 - Jiska Classen - Exposure Notification Security Video
- CCC #DiVOC2020 - Jiska Classen - Finding Eastereggs in Broadcom's Bluetooth Random Number Generator Video
- CCC #DiVOC2020 - Jan Ruge - No PoC? No Fix! - A sad Story about Bluetooth Security Video
- WOOT2021 - Tristan Claverie, José Lopes Esteves - BlueMirror: Reflections on Bluetooth Pairing and Provisioning Protocols Video
- Hardwear.io NL 2021 - Tristan Claverie, José Lopes Esteves - BlueMirror: Defeating Authentication In Bluetooth Protocols Video
- BlueZ (l2ping, gatttool, hciconfig, hcidump, hcitool, sdptool, bccmd, bluetoothctl, etc.) Link
- BTLEmap Github
- Sniffle Github
- Bettercap Github
- sparrow-wifi Github
- bluelog Github
- btsniffer Github
- Blue Hydra Github
- btlesniffer Github
- btscanner Link
- BT Audit Link
- redfang Gitlab
- bleah (deprecated, replaced by Bettercap) Github
- Btlejack Github
- crackle Github
- btcrack Github
- BLE-Replay Github
- BLESuite-CLI Github
- BlueMaho Gitlab
- BlueDiving Sourceforge
- Blooover Link
- l2ping (BlueSmack DoS) Link
- hidattacl Link
- Blue Deauth Github
- bluepot Github
- nRF Connect for Mobile Google Play
- Nordic Semiconductor nRF-51 Development Kit Link
- Sena UD-100 (~$39) Link
- Ubertooth One (~$120) Link
- Ellisys Bluetooth Tools Link
- Frontline Bluetooth Tools Link
- Wireshark: Protocol analyzer and packet capture Link
- Frontline Wireless Protocol Suite (Windows only) Link
- Uberducky (BLE-triggered rubber ducky) Github
- CarWhisperer: Bluetooth sniffer for in-vehicle connections Link
- BLEBoy: BLE testing platform Github
Bluetooth Core Specifications Link
NIST Special Publication (SP) 800-121 revision 2 Link
