Fang Mode: Bluetooth and BLE Attacks for Physical Engagements

Bluetooth is everywhere in physical environments -- access control badges, smart locks, conference room equipment, medical devices, industrial sensors, personal peripherals -- and most of it is poorly secured. Fang mode turns the Phantom's Bluetooth 5.2 radio into a full attack platform for BLE relay, device spoofing, GATT fuzzing, legacy pairing exploitation, and advertisement injection. Where WiFi attacks get most of the attention, Bluetooth attacks often yield access to systems that network-level testing never touches.

How Does the BLE Relay and Man-in-the-Middle Attack Work?

The most powerful BLE attack is the relay, sometimes called a GATTacker-style MITM. The concept: you place yourself between a BLE peripheral (say, a smart lock) and the central device that controls it (a phone app). The Phantom clones the peripheral's advertisement data, including its device name, service UUIDs, and manufacturer-specific data, then broadcasts that cloned advertisement. The legitimate central device connects to the Phantom thinking it's talking to the real peripheral.

Simultaneously, the Phantom connects to the real peripheral as a central device. Every GATT read, write, and notification is relayed transparently between the two sides. The legitimate central sends a command, the Phantom forwards it to the real peripheral, the peripheral responds, and the Phantom forwards the response back. Neither side knows the Phantom is in the middle.

Once the relay is established, the operator can inspect every GATT operation in real time, modify values in transit (change a "lock" command to "unlock," alter sensor readings, inject different configuration values), or record the entire session for later analysis. This is particularly effective against access control systems where the phone app sends a credential or challenge response over BLE -- capturing that exchange often reveals authentication weaknesses or allows replay attacks.

The relay works across distance. The Phantom near the peripheral communicates with the operator's client over the 4G backhaul, meaning the legitimate central device can be relayed from hundreds of meters away. This defeats proximity-based security assumptions that many BLE systems rely on.

Device Spoofing and Impersonation

BLE device spoofing is simpler than a full relay. The Phantom clones a target device's advertisement data and presents itself as that device to any central that scans for it. This is useful when you've already captured the authentication exchange (from a relay session or packet capture) and want to impersonate the device directly.

Many BLE peripherals use static credentials, rotating keys with predictable seeds, or no authentication at all. Smart locks are a common example: the phone app connects to the lock, sends a characteristic write with a token or PIN, and the lock opens. If that token is static or derivable, spoofing the lock lets you capture the token from the app, then spoofing the app lets you send that token to the real lock. Fang mode automates the capture-and-replay workflow.

Spoofing also enables social engineering. Broadcasting a fake BLE beacon that mimics a trusted device (a corporate badge reader, a known printer, a conference room display) can trigger automatic connection attempts from nearby devices, potentially exposing pairing credentials or triggering vulnerable bonding sequences.

How Does GATT Service Enumeration and Fuzzing Work?

GATT (Generic Attribute Profile) is the protocol that structures BLE data exchange. Every BLE peripheral exposes one or more services, each containing characteristics that can be read, written, or subscribed to for notifications. The first step in any BLE assessment is full GATT enumeration -- discovering every service, characteristic, and descriptor on the target device.

Fang mode performs automatic GATT enumeration on any device in range. Standard services (Battery, Device Information, Heart Rate, etc.) are identified by their assigned UUIDs. Custom services -- the ones that actually control device-specific functionality -- use 128-bit UUIDs and require deeper inspection.

The interesting work happens in fuzzing. Many BLE devices have hidden characteristics that are not advertised in the standard GATT table but respond to reads or writes at specific handles. Fang iterates through the full handle range (0x0001 to 0xFFFF), probing each for readable data or writable access. This frequently uncovers debug interfaces, firmware update endpoints, and administrative functions that developers left accessible in production.

Write fuzzing is even more productive. Sending structured and random payloads to writable characteristics can trigger authentication bypasses (writing a specific byte sequence that the device accepts without proper validation), buffer overflows (exceeding the expected characteristic length), or state transitions (changing the device into a debug or factory mode). Fang logs every response, crash, and behavior change, building a map of the device's attack surface.

Legacy Bluetooth Pairing Exploitation

BLE (Bluetooth Low Energy, 4.0+) gets the most attention, but classic Bluetooth (BR/EDR) is still widely deployed in keyboards, mice, headsets, car systems, and industrial equipment. Many of these devices use legacy pairing mechanisms that are fundamentally broken.

PIN-based pairing in Bluetooth 2.0 and earlier is the worst offender. The standard PIN is four digits (0000-9999), and many devices use a fixed PIN of 0000 or 1234. Even when a random PIN is used, the pairing exchange can be sniffed and the PIN brute-forced offline -- 10,000 possibilities is trivial. Fang mode automates PIN brute-force against devices that accept pairing requests.

SSP (Secure Simple Pairing) in Bluetooth 2.1+ is better but not immune. The Just Works association model (used when one or both devices have no display or keyboard) provides no MITM protection by design. Fang can intercept and relay Just Works pairing to establish a MITM position on classic Bluetooth connections, similar to the BLE relay attack but using the BR/EDR stack.

KNOB (Key Negotiation of Bluetooth) and BIAS (Bluetooth Impersonation Attacks) are protocol-level vulnerabilities that affect even modern Bluetooth implementations. KNOB forces the encryption key length down to a single byte, making brute force trivial. BIAS allows an attacker to impersonate a previously paired device without knowing the link key. Fang includes checks for both.

BLE Advertisement Injection

BLE advertisements are the broadcast packets that devices send to announce their presence. They're unencrypted, unauthenticated, and any device can broadcast them. This makes advertisement injection trivial and useful for several attack scenarios.

iBeacon and Eddystone spoofing lets the Phantom broadcast fake location beacons. In environments that use BLE beacons for indoor positioning, asset tracking, or proximity-triggered actions (automatic door unlocking, check-in systems, context-aware displays), injecting fake beacons can manipulate the system's behavior. Spoofing an iBeacon with the right UUID, major, and minor values can trigger actions in apps that trust beacon proximity as an authentication factor.

Advertisement injection is also useful for denial of service. Flooding the BLE advertisement channels (37, 38, 39) with garbage advertisements degrades the ability of legitimate devices to discover each other. And broadcasting advertisements that mimic a high-value target (cloning the advertisement of a manager's phone, for example) can confuse BLE-based access control systems that make decisions based on which devices are in proximity.

Bluetooth Device Tracking

Before attacking anything, you need to know what's there. The Scout can perform this inventory ahead of time, and Fang mode's passive scanning builds a comprehensive inventory of every Bluetooth device in range -- classic and BLE -- with MAC addresses, OUI (Organizationally Unique Identifier) lookups to identify manufacturers, device classes, service UUIDs, signal strength over time, and advertising data.

MAC address tracking is straightforward for devices with static addresses. Many BLE devices use random resolvable or non-resolvable private addresses that rotate periodically, but the rotation interval varies wildly by implementation. Some devices rotate every 15 minutes (Apple's recommendation), others rotate every few seconds, and many cheaper devices never rotate at all. Fang correlates device appearances across address rotations using advertising data fingerprinting -- the combination of service UUIDs, manufacturer data, TX power level, and advertising interval is often unique enough to track a device even when its MAC changes.

OUI fingerprinting identifies the chipset manufacturer from the first three octets of the MAC address (when not randomized). This immediately tells you whether you're looking at a Nordic Semiconductor-based IoT sensor, a Texas Instruments access controller, a Qualcomm phone, or a Cambridge Silicon Radio legacy headset -- each with different attack profiles and known vulnerabilities.

Why Does Bluetooth 5.2 Matter for Attacks?

The Phantom's BT 5.2 radio provides tangible advantages over older Bluetooth hardware. Range is the most obvious: BT 5.0+ supports the LE Coded PHY (S=8), which trades throughput for range, achieving reliable connections at several hundred meters in open air. This means the Phantom can reach BLE devices that a phone or laptop with BT 4.2 cannot, and it can maintain relay connections across greater distances.

Throughput matters for GATT fuzzing and data exfiltration. BT 5.0 doubled the maximum data rate to 2 Mbps (LE 2M PHY) and increased the maximum advertisement data from 31 bytes to 255 bytes (extended advertisements). Faster data rates mean faster enumeration and fuzzing cycles; larger advertisement capacity means the Phantom can inject more complex spoofed advertisements.

BT 5.2 specifically adds LE Audio and the Isochronous Channels feature, which opens new attack surface on devices that implement it. More practically, 5.2 radios have better simultaneous scanning and connection support, allowing Fang to maintain multiple active connections (for relay attacks on several devices) while continuing passive scanning in the background.

What Are the Real-World Targets for Bluetooth Attacks?

On physical engagements, the most common BLE targets are access control systems (badge readers, smart locks, turnstiles that accept BLE credentials), IoT sensors (environmental monitors, occupancy sensors that feed building management systems), medical devices (infusion pumps, patient monitors, insulin pumps -- all of which have documented BLE vulnerabilities), and personal devices (keyboards, mice, and headsets that may leak keystrokes or audio over poorly encrypted Bluetooth links).

The common thread is that Bluetooth security is an afterthought. Developers treat BLE as a short-range, low-risk protocol and skip authentication, use static keys, or rely on proximity as a security boundary. Fang mode exists because those assumptions are wrong, and a purpose-built radio with automated tooling can test them at scale during an engagement. For a full walkthrough of deploying the Phantom with all five modes, see the physical pentest deployment checklist.