Uncovering BLE: History, Security Risks, and How to Protect Your IoT Devices

BLE Development History

Bluetooth was created in 1994 by Ericsson. Low Energy Bluetooth (BLE) emerged as a disruptive change, offering low‑cost, short‑range, interoperable wireless communication in the unlicensed 2.4 GHz band. BLE is part of the Bluetooth 4.0 specification (released 2010, latest 5.2) and consumes far less power than classic Bluetooth while keeping comparable range.

BLE is now embedded in billions of devices such as smartphones, wearables, smart‑home appliances, medical equipment, and automotive systems, making it the most widely used low‑power wireless protocol for IoT.

BLE Security Issues

Protocol Vulnerabilities

Early BLE pairing procedures (Bluetooth 2.0/4.0) used a custom key‑exchange that can be cracked. Attackers who capture all pairing packets can recover the temporary key (TK), then derive the short‑term key (STK) and long‑term key (LTK), enabling impersonation and data decryption. BLE 4.2 introduced ECDH‑based pairing to mitigate this risk.

Two notable protocol‑level bugs are the BLE 4.0 pairing flaw and the BLESA (Bluetooth Low Energy Spoofing Attack) discovered in 2020, which stems from an insufficiently specified reconnection process that allows spoofing.

Research on major BLE stacks (Linux, Android, iOS) shows many devices remain vulnerable to these attacks.

Supply‑Chain Vulnerabilities

Supply‑chain attacks can propagate from upstream Bluetooth‑SoC manufacturers to downstream IoT products. The SweynTooth vulnerability family, disclosed in 2019, includes over 20 bugs across several SoC SDKs, causing crashes, deadlocks, and security bypasses.

Approximately 480 products released between 2018‑2020 are affected, as identified by Bluetooth‑listing searches.

Product Design and Implementation Flaws

Common implementation issues include unencrypted over‑the‑air sniffing, replay attacks, broadcast spoofing, malicious binding, man‑in‑the‑middle attacks, and denial‑of‑service attacks. Examples: Wi‑Fi credentials leaked in clear text during BLE provisioning, forged incoming‑call notifications on smart watches, and spoofed sensor broadcasts that can control other devices.

Mitigations involve using secure pairing modes, enforcing authentication, encrypting broadcast data, employing out‑of‑band (OOB) confirmation, and applying regular security patches.

Recommendations

Update devices to the latest Bluetooth SIG security patches and avoid vulnerable protocol versions.

Keep upstream SDKs and firmware up‑to‑date to address supply‑chain bugs.

Adopt a BLE security development baseline, perform thorough testing, and enforce secure design practices such as encrypted advertising and OOB binding.

References

Bluetooth Market Update 2021

BLESA – USENIX WOOT 2020

SweynTooth disclosures

Crackle tool for BLE key analysis