sgxgsx
BlueToolkit
Jupyter Notebook

BlueToolkit is an extensible Bluetooth Classic vulnerability testing framework that helps uncover new and old vulnerabilities in Bluetooth-enabled devices. Could be used in the vulnerability research, penetration testing and bluetooth hacking. We also collected and classified Bluetooth vulnerabilities in an "Awesome Bluetooth Security" way

Last updated Jul 9, 2026
706
Stars
73
Forks
3
Issues
+2
Stars/day
Attention Score
88
Language breakdown
Jupyter Notebook 47.2%
Python 39.0%
Shell 13.6%
Ruby 0.2%
โ–ธ Files click to expand
README

BlueToolkit

Extensible Bluetooth vulnerability testing framework for BR/EDR and BLE.

Docs โ€ข Installation โ€ข Usage โ€ข Exploits โ€ข Hardware โ€ข TODOs โ€ข Automotive Evaluation โ€ข Bluetooth Resources โ€ข License


BlueToolkit is a modular, black-box Bluetooth security testing framework for Bluetooth Classic (BR/EDR) and Bluetooth Low Energy (BLE). It supports semi-automated testing and has three main modules:

  • Recon: gathers Bluetooth capabilities and security configuration.
  • Exploit: executes tests for (currently) 43 public exploits (MitM, RCE, DoS, etc.). The vulnerability templates are in the exploits folder. Support for more can be added by TODO.
  • Report: generates structured, machine- and human-readable JSON reports.

We evaluated BlueToolkit on 22 cars from different vendors (Audi, BMW, Chevrolet, Honda, Hyundai, Mercedes-Benz, Mini, Opel, Polestar, Renault, Skoda, Toyota, VW, Tesla) and uncovered 128 vulnerabilities.

In addition, we show how to Hijack online accounts via MAP for already established connections or with a MitM position.

This work led to a research paper accepted at WOOT 25': add missing link when we have it

Installation

BlueToolkit can be installed on bare metal Ubuntu/Debian systems (recommended) or using a Virtual Machine. In both cases the installer will prompt to install the specific modules for Braktooth and BluetoothAssistant, which require specific hardware devices to be available and plugged in. Standalone modules installation can also be done separately by running the installer again.

Normal Installation Installation:

git clone https://github.com/sgxgsx/BlueToolkit
  chmod +x ./BlueToolkit/install.sh
  sudo ./BlueToolkit/install.sh [-dev]

VM Installation Prerequisites: * Virtualbox https://www.virtualbox.org * vagrant https://developer.hashicorp.com/vagrant/install?product_intent=vagrant

git clone https://github.com/sgxgsx/BlueToolkit --recurse-submodules
  cd BlueToolkit/vagrant
  vagrant up

After Installation:

  • You need to allow the virtual machine to access the Bluetooth module or additional hardware through USB, which requires you to do the following:
  • USB support is already switched on, that's why open VirtualBox
  • Find a running virtual machine and click on "Show"
  • Click on "Devices" -> "USB"
  • You will be presented with multiple devices that you can switch on for the virtual machine
  • Tick any device that you need (Bluetooth module, hardware, phone) or tick all devices to be sure.

Usage

Run bluekit -h to display BlueToolkit usage information:

usage: bluekit [-h] [-t TARGET] [-l] [-c] [-ct] [-ch] [-v VERBOSITY] [-ex EXCLUDEEXPLOITS [EXCLUDEEXPLOITS ...]] [-e EXPLOITS [EXPLOITS ...]] [-r] [-re] [-rej] [-hh HARDWARE [HARDWARE ...]] ...

positional arguments: rest

options: -h, --help show this help message and exit -t TARGET, --target TARGET target MAC address -l, --listexploits List exploits or not -c, --checksetup Check whether Braktooth is available and setup -ct, --checktarget Check connectivity and availability of the target -ch, --checkpoint Start from a checkpoint -v VERBOSITY, --verbosity VERBOSITY Verbosity level -ex EXCLUDEEXPLOITS [EXCLUDEEXPLOITS ...], --excludeexploits EXCLUDEEXPLOITS [EXCLUDEEXPLOITS ...] Exclude exploits, example --exclude exploit1, exploit2 -e EXPLOITS [EXPLOITS ...], --exploits EXPLOITS [EXPLOITS ...] Scan only for provided --exploits exploit1, exploit2; --exclude is not taken into account -r, --recon Run a recon script -re, --report Create a report for a target device -rej, --reportjson Create a report for a target device -hh HARDWARE [HARDWARE ...], --hardware HARDWARE [HARDWARE ...] Scan only for provided exploits based on hardware --hardware hardware1 hardware2; --exclude and --exploit are not taken into account

Some usage examples are:

  • List all available exploits (no root required):
bluekit -l
  • Run recon:
sudo bluekit -t AA:BB:CC:DD:EE:FF -r
  • Test connectivity:
sudo bluekit -t AA:BB:CC:DD:EE:FF -ct
  • Test one or more exploits (space separated):
sudo bluekit -t AA:BB:CC:DD:EE:FF -e invalidmaxslot aurandflooding internalblue_knob

More documentation is available in our wiki

Hardware

Some attacks require specific hardware:

  • ESP-WROVER-KIT-VE for Braktooth vulnerabilities
  • Nexus5 phone for Internalblue. Could be replaced with a CYW20735 but two exploits won't work and it would need a new hardware profile.
  • CYW920819M2EVB-01 for BIAS, BLUR and BLUFFS attacks.

Available Bluetooth Vulnerabilities and Attacks

BlueToolkit automatically downloads all vulnerability and hardware templates. BlueToolkit templates repository provides a full list of ready-to-use templates. Additionally, you can write your own templates and checks as well as add new hardware by following BlueToolkit's templating guide The YAML reference syntax is available here

We collected and classified Bluetooth vulnerabilities in an "Awesome Bluetooth Security" way. We used the following sources - ACM, IEEE SP, Blackhat, DEFCON, Car Hacking Village, NDSS, and Google Scholars. Looked for the following keywords in Search Engines such as Google, Baidu, Yandex, Bing - Bluetooth security toolkit, Bluetooth exploits github, Bluetooth security framework, bluetooth pentesting toolkit. We also parsed all Github repositories based on the following parameters - topic:bluetooth topic:exploit, topic:bluetooth topic:security.

Currently BlueToolkit check the following vulnerabilities and attacks:

For manual attacks refer to the documentation.

| Vulnerability | Category | Type | Verification type | Hardware req. | Tested | |----------------------------------------------| :---: | :---: | :---: | :---: | :---: | | Always pairable | Chaining | Chaining | Manual | | โœ“ | | Only vehicle can initiate a connection | Chaining | Chaining | Manual | | โœ“ | | Fast reboot | Chaining | Chaining | Manual | | โœ“ | | SC not supported | Chaining | Info | Automated | | โœ“ | | possible check for BLUR | Chaining | Info | Automated | | โœ“ | | My name is keyboard | Critical | RCE | Semi-automated | | โœ“ | | CVE-2017-0785 | Critical | Memory leak | Automated | | โœ“ | | CVE-2018-19860 | Critical | Memory execution | Automated | | โœ“ | | V13 Invalid Max Slot Type | DoS | DoS | Automated | โœ“ | โœ“ | | V3 Duplicated IOCAP | DoS | DoS | Automated | โœ“ | โœ“ | | NiNo check | MitM | MitM | Semi-automated | | โœ“ | | Legacy pairing used | MitM | MitM | Automated | | โœ“ | | KNOB | MitM | MiTM | Semi-automated | โœ“ | โœ“ | | CVE-2018-5383 | MitM | MiTM | Automated | โœ“ | โœ“ | | Method Confusion attack | MitM | MiTM | Automated | | โœ“ | | SSP supported <= 4.0 weak crypto or SSP at all | MitM | Info/MitM | Automated | | โœ“ | | CVE-2020-24490 | Critical | DoS | Automated | | โœ“ | | CVE-2017-1000250 | Critical | Info leak | Automated | | โœ“ | | CVE-2020-12351 | Critical | RCE/DoS | Automated | | โœ“ | | CVE-2017-1000251 | Critical | RCE/DoS | Automated | | โœ“ | | V1 Feature Pages Execution | Critical | RCE/DoS | Automated | โœ“ | โœ“ | | Unknown duplicated encapsulated payload | DoS | DoS | Automated | โœ“ | โœ“ | | V2 Truncated SCO Link Request | DoS | DoS | Automated | โœ“ | โœ“ | | V4 Feature Resp. Flooding | DoS | DoS | Automated | โœ“ | โœ“ | | V5 LMP Auto Rate Overflow | DoS | DoS | Automated | โœ“ | โœ“ | | V6 LMP 2-DH1 Overflow | DoS | DoS | Automated | โœ“ | โœ“ | | V7 LMP DM1 Overflow | DoS | DoS | Automated | โœ“ | โœ“ | | V8 Truncated LMP Accepted | DoS | DoS | Automated | โœ“ | โœ“ | | V9 Invalid Setup Complete | DoS | DoS | Automated | โœ“ | โœ“ | | V10 Host Conn. Flooding | DoS | DoS | Automated | โœ“ | โœ“ | | V11 Same Host Connection | DoS | DoS | Automated | โœ“ | โœ“ | | V12 AU Rand Flooding | DoS | DoS | Automated | โœ“ | โœ“ | | V14 Max Slot Length Overflow | DoS | DoS | Automated | โœ“ | โœ“ | | V15 Invalid Timing Accuracy | DoS | DoS | Automated | โœ“ | โœ“ | | V16 Paging Scan Deadlock | DoS | DoS | Automated | โœ“ | โœ“ | | Unknown wrong encapsulated payload | DoS | DoS | Automated | โœ“ | โœ“ | | Unknown sdp unknown element type | DoS | DoS | Automated | โœ“ | โœ“ | | Unknown sdp oversized element size | DoS | DoS | Automated | โœ“ | โœ“ | | Unknown feature req ping pong | DoS | DoS | Automated | โœ“ | โœ“ | | Unknown lmp invalid transport | DoS | DoS | Automated | โœ“ | โœ“ | | CVE-2020-12352 | Critical | Info leak | Automated | | โœ“ |

Novel attacks

These attacks a novel/new and are tested by the framework

| Vulnerability | Category | Type | Verification type | Hardware req. | Tested | |----------------------------------------------| :---: | :---: | :---: | :---: | :---: | | Insecure NC implementation | MitM | MitM | Manual | | โœ“ | | Vehicular NiNo | MitM | Info | Manual | | โœ“ | | Contact Extractor | Critical | BAC | Manual | | โœ“ |

Vulnerabilities to be added soon

| Vulnerability | Category | Type | Verification type | Hardware req. | Tested | Scheduled to be added | |----------------------------------------------| :---: | :---: | :---: | :---: | :---: | :---: | | BLUR | MitM | ? | - | โœ“ | | โœ“ | | BIAS | MitM | ? | - | โœ“ | | โœ“ | | BLUFFS | MitM | ? | - | โœ“ | | โœ“ | | BlueRepli | Critical | BAC | - | | | | | CVE-2020-26555 | MitM | MiTM | - | | | |

TODO List

  • [ ] Add Support for BLE (Bluetooth Low Energy)
- Implement BLE functionality to enhance the project's connectivity capabilities.
  • [ ] Continuously (Re-)Develop Proofs of Concept (PoCs)
- Develop new PoCs to explore additional use cases or features.

Bluetooth Vulnerabilities and Attacks

Additionally, we found the following Bluetooth Classic and Bluetooth Low Energy (BLE) vulnerabilities. The table has the following information about the attacks and vulnerabilities - name, type either implementation-specific, protocol-specific or affecting a BT profile, Bluetooth Type (BLE, BT, BT + BLE), BT versions affected, number of exploits, year released, CVE if available, CVSS if available, Hardware if required, Proof of Concept if available and additional information in the comment section with additional links or explanation.

| Exp. Family | Name | Type | BT Type | BT ver | exp. # | Year | CVE | CVSS | Hardware | PoC | Link | Comment | | -------------- | ----------------------------------- | ----- | ---------- | ------------------ | --------------- | ---- | -------------------------------------------------------------------- | ---- | ------------------------------------------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | | Qualcomm WSA8835 attck | Imp | BLE | | 1 | 2023 | | | | | https://www.cvedetails.com/cve/CVE-2023-21647/?q=CVE-2023-21647 | Improper GATT packet verification | | | Auth bypass, spoofing | Imp | BLE | | 1 | 2022 | | | | | https://fmsh-seclab.github.io/ | Authentication Bypass by Spoofing in Tesla Keys | | | unauth MITM | Prot | BLE | 4.0 - 5.3 | 1 | 2022 | | | | | https://www.cvedetails.com/cve/CVE-2022-25836/ | Check CVE for details, relies on Method Confusion | | | BLE Proximity Auth relay | Rel | BLE | 4.0 - 5.3 | 1 | 2022 | | | | | https://research.nccgroup.com/2022/05/15/technical-advisory-tesla-ble-phone-as-a-key-passive-entry-vulnerable-to-relay-attacks/ | BLE Proximity Authentication Vulnerable to Relay Attacks | | | Sniffle | Snif | BLE | 4.0-5.0 | 1 | 2022 | | | TI CC1352/CC26x2 | https://github.com/nccgroup/Sniffle | | | | | InjectaBLE | Prot | BLE | 4.0 - 5.2 | 1 | 2021 | | | nRF52840 | https://github.com/RCayre/injectable-firmware | https://hal.laas.fr/hal-03193297v2/document | MITM, Send malicious packets, post-exploitation after the session was established/hijacked (Imp and model specific) | | | jacknimble | Imp | BLE | | | 2020 | | | nRF52840 | https://github.com/darkmentorllc/jackbnimble | https://i.blackhat.com/USA-20/Wednesday/us-20-Kovah-Finding-New-Bluetooth-Low-Energy-Exploits-Via-Reverse-Engineering-Multiple-Vendors-Firmwares.pdf | 3 exploits for specific hardware, CVE-2020-15531 | | | SweynTooth | Imp | BLE | | 12 | 2020 | | | nRF52840 | https://github.com/Matheus-Garbelini/sweyntoothbluetoothlowenergyattacks | https://asset-group.github.io/disclosures/sweyntooth/ | | | | BlueDoor | Prot | BLE | 4.0 - 5.2 | 1 | 2020 | | | nRF51822 | | http://tns.thss.tsinghua.edu.cn/~jiliang/publications/MOBISYS2020_BlueDoor.pdf | MITM | | | Downgrade attack | Prot | BLE | 4.2 - 5.0 | 1 | 2020 | | | TICC2640 & Adafruit Bluefruit LE Sniffe | | https://www.usenix.org/system/files/sec20-zhang-yue.pdf | MITM through downgrade (SCO) CVE-2020-35473 | | | BLESA | Spoof | BLE | | 1 | 2020 | | | | | https://www.usenix.org/system/files/woot20-paper-wu.pdf | Spoofing to establish MITM and disable encryption | | SweynTooth | Cypress PSoc 4 BLE | Imp | BLE | | 1 | 2019 | | | | | https://www.cvedetails.com/cve/CVE-2019-16336/?q=CVE-2019-16336 | DoS | | SweynTooth | Cypress PSoc 4 BLE | Imp | BLE | | 1 | 2019 | | | | | https://www.cvedetails.com/cve/CVE-2019-17061/?q=CVE-2019-17061 | Buffer Overflow | | SweynTooth | NXP KW41Z up to 2.2.1 | Imp | BLE | | 1 | 2019 | | | | | https://www.cvedetails.com/cve/CVE-2019-17060/?q=CVE-2019-17060 | BLE Link layer buffer overflow | | SweynTooth | STMicroelectronics BLE Stack | Imp | BLE | | 1 | 2019 | | | | | https://www.cvedetails.com/cve/CVE-2019-19192/?q=CVE-2019-19192 | through 1.3.1 for STM32WB5x devices does not properly handle consecutive ATT requests on reception | | | Co-located app BLE | | BLE | | 1 | 2019 | | | | Theory | https://www.usenix.org/system/files/sec19-sivakumaran_0.pdf | Co-located apps can get BLE data, and thus exfiltrate needed info??? can we do a relay with it? | | | BleedingBit | Imp | BLE | 4.2 - 5.0 | 1 | 2018 | | | | | https://www.armis.com/research/bleedingbit/ | | | | GATTacking | Prot | BLE | 4.0 | 1 | 2016 | | | CSR 8510-based USB dongle | https://github.com/securing/gattacker | https://www.blackhat.com/docs/us-16/materials/us-16-Jasek-GATTacking-Bluetooth-Smart-Devices-Introducing-a-New-BLE-Proxy-Tool.pdf | MITM BLE | | | Crackle | Prot | BLE | 4 | 1 | 2013 | | | | https://github.com/mikeryan/crackle | https://www.usenix.org/system/files/conference/woot13/woot13-ryan.pdf | crack ble encryption | | Bluez | MynameIsKeyboard | Imp | BT | | 1 | 2023 | CVE-2023-45866 | 8.8 | | https://github.com/marcnewlin/himynameiskeyboard | \- | CVE-2023-45866, CVE-2023-45866, CVE-2023-45866 | | Antonioli | BLUFFS | Prot | BT | 4.2-5.2 | 6 | 2023 | CVE-2023-24023 | 6.8 | CYW920819EVB-02 | https://github.com/francozappa/bluffs | | | | | \- | Prot | BT | | 1 | 2022 | | | | | https://ieeexplore.ieee.org/stamp/stamp.jsp?tp=&arnumber=9833777 | Cross-stack illegal access attack (formal methods) + CVE-2020-26560 and CVE-2020-15802 mentioned in other entries | | | BlackTooth | Prot | BT | | 1 | 2022 | | | CYW920819EVB-02 | | https://dl.acm.org/doi/pdf/10.1145/3548606.3560668 | 1 new attack (connection stage) + KNOB and other attacks that were reused | | | BLAP | Prot | BT | | 1 | 2022 | | | | Theory | https://ieeexplore.ieee.org/stamp/stamp.jsp?tp=&arnumber=9833575 | Extract Link Key from the HCI dump needs physical access to the car (applicable in car sharing only) | | | Blue's Clues | Prot | BT | <=5.3 | | 2022 | CVE-2022-24695 | 4.3 | Ubertooth & USRP B210 SDR | https://github.com/TylerTucker/BluesClues | https://ieeexplore.ieee.org/stamp/stamp.jsp?tp=&arnumber=10179358 | CVE-2022-24695 affects Privacy, defeats non-discoverable feature of BT/EDR | | | unauth MITM | Prot | BT | 1.0B-5.3 | 1 | 2022 | CVE-2022-25837 | 7.5 | | | https://www.cvedetails.com/cve/CVE-2022-25837/ | Check CVE for details, relies on Method Confusion, CVE-2022-25837 | | Braktooth | BrakTooth | Imp | BT | 3.0 - 5.2 | 16 | 2021 | CVE-2021-28139 | 8.8 | ESP-WROVER-KIT | https://github.com/Matheus-Garbelini/braktoothesp32bluetoothclassicattacks | https://asset-group.github.io/disclosures/braktooth/ | | | | BleedingTooth BadChoice | Imp | BT | 4.2-5.2 | 1 | 2020 | CVE-2020-12352 | 6.5 | | https://github.com/google/security-research/security/advisories/GHSA-7mh3-gq28-gfrq | https://google.github.io/security-research/pocs/linux/bleedingtooth/writeup.html | Information leak | | | BleedingTooth BadKarma | Imp | BT | 5.0 | 1 | 2020 | CVE-2020-12351 | 8.8 | | https://github.com/google/security-research/security/advisories/GHSA-7mh3-gq28-gfrq | https://google.github.io/security-research/pocs/linux/bleedingtooth/writeup.html | stack-based info leak BlueZ | | | BleedingTooth BadVibes | Imp | BT | 5.0+ | 1 | 2020 | CVE-2020-24490 | 6.5 | | https://github.com/google/security-research/security/advisories/GHSA-ccx2-w2r4-x649 | https://google.github.io/security-research/pocs/linux/bleedingtooth/writeup.html | Requires BT 5.0 and higher | | | Snapdragon Auto CVEs | Imp | BT | | 4 | 2020 | | | | | https://www.cvedetails.com/cve/CVE-2020-3703/?q=CVE-2020-3703 | CVE-2020-11156 Snapdragon Auto, no exploits CVE-2020-11154 CVE-2020-11155, CVE-2020-3703 | | | BlueRepli | Imp | BT | | 1 | 2020 | | | | No exploit so far | https://i.blackhat.com/USA-20/Wednesday/us-20-Xu-Stealthily-Access-Your-Android-Phones-Bypass-The-Bluetooth-Authentication.pdf | https://github.com/DasSecurity-HatLab/BlueRepli-Plus | | | UberTooth | Snif | BT | ALL | 1 | 2020 | | | Ubertooth | https://github.com/greatscottgadgets/ubertooth | https://ubertooth.readthedocs.io/en/latest/ | Sniffing | | Antonioli | BIAS | Prot | BT | <=5.0 | 4 | 2019 | CVE-2020-10135 | 5.4 | CYW920819, possibly CYW920819M2EVB-01 | https://github.com/francozappa/bias | https://francozappa.github.io/about-bias/ | CVE-2020-10135 | | | MITM SSP BT 5.0 | Prot | BT | 5 | 1 | 2018 | | | | | https://link.springer.com/article/10.1007/s00779-017-1081-6 | passkey entry association model is vulnerable to the MITM | | BlueBorne | CVE-2017-0785 | Imp | BT | | 1 | 2017 | CVE-2017-0785 | 6.5 | | | | | | BlueBorne | CVE-2017-1000251 | Imp | BT | 5 | 4 | 2017 | CVE-2017-1000251 | 8.0 | | https://github.com/ArmisSecurity/blueborne | https://www.armis.com/research/blueborne/ | | | | Lexus BT Heap Overflow | Imp | BT | | 1 | 2017 | CVE-2020-5551 | 8.8 | | Theory | https://keenlab.tencent.com/en/2020/03/30/Tencent-Keen-Security-Lab-Experimental-Security-Assessment-on-Lexus-Cars/ | RCE in Lexus (LC, LS, NX, RC, RC F), TOYOTA CAMRY, and TOYOTA SIENNA manufactured not in Japan from Oct. 2016 to Oct. 2019 | | | BlueEar | Snif | BT | ALL | 1 | 2016 | | | Ubertooth (2) | https://github.com/albazrqa/BluEar | https://www.cs.cityu.edu.hk/~jhuan9/papers/blueear16mobisys.pdf | Sniffing, extending the code of Ubertooth | | | CVE-2018-19860 | Imp | BT | | 1 | 2014 | CVE-20


README truncated. [View on GitHub
๐Ÿ”— More in this category

ยฉ 2026 GitRepoTrend ยท sgxgsx/BlueToolkit ยท Updated daily from GitHub