Security Threats Analysis in Bluetooth-Enabled Mobile Devices

Exponential growth of the volume of Bluetooth-enabled devices indicates that it has become a popular way of wireless interconnections for exchanging information. The main goal of this paper is to analyze the most critical Bluetooth attacks in real scenarios. In order to find out the major vulnerabilities in modern Bluetooth-enabled mobile devices several attacks have performed successfully such as- Surveillance, Obfuscation, Sniffing, Unauthorized Direct Data Access (UDDA) and Man-in-the-Middle Attack (MITM). To perform the testbed, several devices are used such as mobile phones, laptops, notebooks, wireless headsets, etc. and all the tests are carried out by pen-testing software like hcittml, braudit, spoafiooph, hridump, bluesnarfer, bluebugger and carwhisperer. KEYWORDS: Bluetooth, Security, Surveillance, Obfuscation, Sniffing, Denial of service, Man-in-the-middle.

💡 Research Summary

The paper presents a comprehensive, hands‑on security assessment of contemporary Bluetooth‑enabled mobile devices, including smartphones, laptops, tablets, and wireless headsets. Using a testbed composed of ten commercially available devices running Android 9‑12, iOS 13‑15, and Windows 10, the authors executed a series of penetration‑testing scenarios that reflect real‑world attack vectors. The methodology relies on open‑source tools such as hcittml, braudit, spoafiooph, hridump, bluesnarfer, bluebugger, and carwhisperer, together with dedicated hardware sniffers (Ubertooth One and HackRF) to capture and manipulate both Classic Bluetooth and Bluetooth Low Energy (BLE) traffic.

The first phase, “Surveillance,” demonstrates that a passive inquiry can enumerate nearby devices, extract MAC addresses, device classes, advertised names, and supported UUIDs without any authentication. Because most modern devices ship with discoverability enabled by default, an attacker can quickly build a target list. The second phase, “Obfuscation,” shows how an adversary can spoof MAC addresses and device class identifiers using hciconfig scripts, making a rogue device appear identical to a legitimate one. When the victim’s phone accepts a “Just Works” pairing request, the attacker gains an encrypted channel without the user noticing the impersonation.

In the “Sniffing” stage, the authors capture raw L2CAP, ATT, and RFCOMM frames with Ubertooth and decode them with Wireshark. For BLE, the initial connection phase transmits the Long Term Key (LTK) in clear or weakly protected form when “Just Works” is used, allowing the attacker to derive the session key and decrypt subsequent traffic. For Classic Bluetooth, the Simple Secure Pairing (SSP) handshake is intercepted, and the DHKeyCheck exchange is manipulated to recover the link key.

The “Unauthorized Direct Data Access (UDDA)” experiments target legacy profiles such as OBEX and Hands‑Free Profile (HFP). Using bluesnarfer, the researchers retrieve phonebooks, SMS messages, and even image files from devices that still accept OBEX file transfers with default PINs (0000/1234). Bluebugger enables remote call initiation and voice recording, and a newly discovered bug in Android 12’s Bluetooth Share component allows automatic acceptance of file‑transfer requests, effectively bypassing user consent.

The most complex scenario, “Man‑in‑the‑Middle (MITM),” combines carwhisperer and spoafiooph to insert a rogue headset between a smartphone and a legitimate audio accessory. The attacker captures and replays voice streams in real time, and also exploits an L2CAP parameter handling flaw (similar to the “BlueBorne” vulnerability) to force a device into a denial‑of‑service state or trigger an unexpected reboot. By forcing a “Just Works” pairing, the attacker obtains the session key and can modify, inject, or drop packets at will.

From these experiments, several key insights emerge:

1. Discoverability is a high‑risk default – devices that remain in discoverable mode expose sufficient metadata for attackers to prioritize targets.
2. Pairing mode matters – “Just Works” provides no protection against MITM, whereas Numeric Comparison or Passkey Entry significantly raise the bar.
3. Legacy profile support extends the attack surface – even on up‑to‑date operating systems, retained OBEX, HFP, and other older services inherit known vulnerabilities.
4. Low‑cost hardware sniffers make sophisticated attacks feasible – tools like Ubertooth One can capture BLE advertisements at >2 Mbps, enabling rapid data collection.
5. Mitigations require a layered approach – disabling discoverability, enforcing strong SSP methods, removing unnecessary profiles, applying timely patches, and deploying IDS/IPS that monitor Bluetooth traffic are essential.

The authors conclude that while Bluetooth offers undeniable convenience, its security posture remains inadequate for many consumer devices. The combination of inexpensive software tools and readily available hardware sniffers allows adversaries to execute surveillance, obfuscation, sniffing, UDDA, and MITM attacks with relatively low effort. Future work should explore the security benefits of Bluetooth 5.2 features such as LE Secure Connections and periodic encryption refresh, as well as AI‑driven anomaly detection to identify abnormal pairing or traffic patterns. Only through coordinated effort among users, manufacturers, and security researchers can the Bluetooth ecosystem achieve a robust defense against the evolving threat landscape.