Bluetooth and IoT Wireless Attacks
#Overview
Short-range wireless protocols — Bluetooth Classic, Bluetooth Low Energy (BLE), Zigbee, Z-Wave, and sub-GHz RF — connect billions of IoT devices but often prioritize convenience over security. These protocols frequently ship with weak pairing, no authentication, unencrypted communication, or default credentials. Pentesters can exploit these weaknesses for credential theft, device control, and lateral movement into wired networks.
This section covers attacks against Bluetooth and IoT wireless protocols. For WiFi-specific attacks, see WiFi Attacks. For network segmentation bypass after gaining IoT device access, see Network Segmentation.
#Attack Decision Tree
Short-Range Wireless Target?
|
|-- Bluetooth Classic (BR/EDR)
| |-- Device discovery --> bluelog, btscanner
| |-- Pairing exploit --> [Bluetooth Attacks](bluetooth-attacks.md)
| |-- PIN cracking --> hcitool/BTUrchatter
| |-- Snarfing/bugging --> Bluesnarfing, Bluebugging
|
|-- Bluetooth Low Energy (BLE)
| |-- GATT enumeration --> gatttool, bettercap
| |-- Advertising spoof --> [Bluetooth Attacks](bluetooth-attacks.md)
| |-- Write characteristics without auth --> Direct device control
|
|-- Zigbee (IEEE 802.15.4)
| |-- Network discovery --> KillerBee
| |-- Key extraction --> [Zigbee/Z-Wave Attacks](zigbee-zwave-attacks.md)
| |-- Replay attacks --> Packet capture + retransmit
|
|-- Z-Wave
| |-- Downgrade attack --> Force legacy protocol
| |-- Packet injection --> [Zigbee/Z-Wave Attacks](zigbee-zwave-attacks.md)
|
|-- Sub-GHz RF (433/868/915 MHz)
|-- Signal capture --> [SDR Wireless Attacks](sdr-wireless-attacks.md)
|-- Replay attack --> RTL-SDR / HackRF / Flipper Zero
|-- Key fob cloning --> RollJam, capture-replay
#Technique Files
| File | Covers | Complexity |
|---|---|---|
| Bluetooth Attacks | BR/EDR discovery, BLE enumeration, GATT exploitation, Bluesnarfing, Ubertooth | Medium |
| Zigbee/Z-Wave Attacks | KillerBee framework, replay attacks, key extraction, Z-Wave downgrade | Medium-High |
| SDR Wireless Attacks | RTL-SDR/HackRF setup, sub-GHz capture/replay, Flipper Zero, YardStick One | Medium |
#General Workflow
#1. Device Discovery
# Bluetooth Classic discovery
sudo hcitool scan
sudo hcitool inq
# BLE discovery
sudo hcitool lescan
bluelog -i hci0
# Zigbee discovery (KillerBee)
sudo zbstumbler -C 11
# Sub-GHz survey (RTL-SDR)
rtl_power -f 433500000:434500000:1000 -g 40 -i 10 -e 60 survey.csv
#2. Protocol Identification
| Observed Characteristic | Protocol | Frequency |
|---|---|---|
| 2.4 GHz, inquiry scans | Bluetooth Classic | 2.4 GHz ISM |
| 2.4 GHz, advertising packets | BLE | 2.4 GHz ISM |
| 2.4 GHz, 802.15.4 frames | Zigbee | 2.4 GHz (or sub-GHz) |
| 868/915 MHz, Z-Wave frames | Z-Wave | Regional ISM |
| 315/433/868/915 MHz OOK/FSK | Sub-GHz RF (key fobs, garage doors) | Regional ISM |
#3. Attack Selection
Choose the technique based on the protocol and the engagement scope. Bluetooth attacks are typically low-noise and device-specific; SDR replay attacks can affect physical systems and require extra caution.
#4. Post-Exploitation
After compromising a Bluetooth/IoT device:
- Extract stored credentials (WiFi keys, API tokens, cloud credentials)
- Pivot to the wired network through the device
- Enumerate other devices the target communicates with
- Document all findings for the report
#Cross-References
- WiFi Attacks -- For WiFi-specific exploitation
- Network Segmentation -- For bypassing VLANs/NAC after IoT device compromise
- 01 - Pre-Foothold -- Passive wireless survey methodology