Exploiting IoT enabled BLE smart bulb security

. 7 min read

With the growing popularity of IoT and smart devices, the first thing that comes to mind when talking about IoT is smart homes . This includes a whole bunch of devices including smart refrigerators, smart bulbs, power adapters, kettles, toasters, egg trays and what not.

In this post, we are going to discuss about how to take over a BLE based IoT smart bulb, interact with it, change colors, and in the process also look into security internals of BLE.

Some of the things we are going to cover in this post:

  • Getting started with Ubertooth sniffing of BLE

  • Active sniffing of traffic

  • Modifying BLE handlers and characteristic values

  • Taking control over devices

    In case you are interested in a real-world version of the training class for your organization covering topics such as BLE sniffing, exploitation, Zigbee and more, feel free to contact us at secure@attify.com or have a look at Offensive IoT Exploitation .

    In order to get started, we will need the below items:



  • hcitool
  • ubertooth-utils
  • Gatttool

Connect the bulb to the power connection. Make sure it’s working by turning it on and off using your smartphone. The first step now is to find the bluetooth address of the target device.

Step1: We will use hcitool to find all the available BLE device present near the host.

hcitool lescan

In the above image, we will find the bluetooth address of the multiple devices around us. Upon inspection, it looks like 88:C2:55:CA:E9:4A is our Bulb and the Bluetooth name of the device is cnligh .

Step 2: Now once we know the BD_ADDR (bluetooth address) of the target device, we can use gatttool to view the services running inside the target device. Use gatttool -I to switch to an interactive mode and connect to the target device using the particular BD_ADDR.

gatttool -I connect 88:C2:55:CA:E9:4A primary

In the above image, there are three primary service running among the three UUIDs. 00001800 and 00001801 is Bluetooth SIG defined service and the UUID 0000f371 is not one of the service defined by Bluetooth SIG.

Step 3: Now we can use char-desc to list all the handle in a particular UUID ( 0000f371 ). It’s better to specify the attr and end group handles, which in this case is 0x0010 0xffff

char-desc 0x0010 0xffff

If we look at the above image, we can see the complete list of handles, for the particular UUID 0xffff.

If we look it up, we will see that the service 0xfff1 to 0xfff9 is defined by the manufactures, other are services adopted by Bluetooth Special Interest group such as primary service, characteristic, characteristic user description. To know the Service and their paticular UUID value, refer https://www.bluetooth.com/specifications/gatt/services .

Step 4: There are many handles and we are not sure to which handle we can write the data, so let’s try reading the handle with their handle value

char-read-hnd 0x0012

When we try to read the handle we get an error message as shown in the above image. It’s a little complicated here because we don’t know that, to which handle we can should read/write data and we don’t even know the packet format.

So to know the packet format and the handle, it’s better to sniff the BLE packets. Ubertooth is an effective tool which can be used to perform an active sniffing of BLE traffic. In case you would like to get all the items used in this tutorial along with additional labs, consider purchasing our BLE Exploitation Learning Kit

Step 5: ubertooth-btle is used to sniff the BLE packets. We can simply use ubertooth-btle -f in this case to follow connections for our target device. In case you have multiple device, you can use ubertooth-btle -f -t <BD_ADDR> , with the Bluetooth address of the target device. In our case the BD_ADDR is 88:C2:55:CA:E9:4A

ubertooth-btle -f -t88:C2:55:CA:E9:4A

Step 6:  To capture packets, use the following command

ubertooth-btle -f -t88:C2:55:CA:E9:4A -c smartbulb_dump.pcap

-c is used here to capture the packets in a pcap specified by the file name. In case you would like to perform an active traffic interception of the BLE device, you can also create a pipe by doing a mkfifo /tmp/pipe and then using it in Wireshark as the capture interface.

Now open your mobile app for the bulb and connect it. Once connected, perform an action such as changing the color of the bulb and ubertooth will capture all the packets.

Advertising packets identification with Ubertooth

Advertising packets identification with Ubertooth

The above image is advertising packet from the bulb and few points to be noted is

  • The Access address (AA) is 0x8e89bed6 , This is used to manage the link layer.
  • It is on channel 37 which is one of the dedicated advertising channels
  • Packet PDU is ADV_IND , meaning it is connectable, uni-directional and scannable.
  • AdvA is 88:c2:55:ca:e9:4a which is nothing but the BD_ADDR of the advertising device
  • Type 01 flag indicates that the AdvA address is random

If we look into the above image, we will notice that it has both the values – scan response ( SCAN_RSP ) from the target device and scan request( SCAN_REQ )  from the app


  • ** ScanA is a 6 byte scanner address and TxAdd indicate  whether it is random or public address **
  • AdvA is a 6 byte advertiser address, RxAdd in PDU indicate the whether the address is public or random


  • AdvA is a 6 byte advertise address, TxAdd indicate the type of address whether it is random or public
  • ScanRspData is a optional advertising data from the advertiser


The below image is sniffed data

Ubertooth sniffing for BLE traffic

Step 7: Let’s analyze the captured packets using wireshark, open wireshark and open the captured pcap file.

If you see here it will show all the captured packets.

Step 8: Now we need to find the ATT packets among these captured packets. The simplest way is to make use of the filter option in wireshark. Type btl2cap.cid==0x004

if we look into the above image there is only ATT packets and the info about the packet.

Step 9:  Here we have captured packets while changing the color of the bulb, so let’s look for the write request packets.

BLE write packets
BLE write packets

Now we get to know that the data is written to handle 0x0012, which belong to a certain UUID which we need to figure out.

Step 10:  If we analyze the particular write request packet we are able to find the access address,CRC value, opcode, handle and the UUID

Wireshark showing write packets for BLE
Wireshark showing write packets for BLE

In the above image we can see the

  • access address: 0xaf9a9515
  • master and slave address
  • CRC: 0x6dcb5
  • handle: 0x0012
  • UUID: 0xfff1
  • value : 03c90006000a03000101000024ff000000006

BLE packet details
BLE packet details

  • Header is 2 bytes in length which comes along with the PDU
  • Mode selection is hardcoded for controlling the color of the lamp
  • The 6 Byte 0024ff is the RGB value, these 6 bytes can be changed accordingly to get your desired color

Step 11: We can use gatttool to write the value to the particular handle or UUID,

char-write-req 0x0012 03c90006000a03000101000024ff00000000 // Bluish green 
char-write-req 0x0012 03c90006000a0300010100ff000000000000 // Red 
char-write-req 0x0012 03c90006000a030001010000ff0000000000 // Green 
char-write-req 0x0012 03c90006000a03000101000000ff00000000 // Blue

Step 12: It's even possible to Turn on and off the bulb, just change the on/off bit in the data

char-write-req 0x0012 03c90006000a030101010000000000000000 : Turns the bulb OFF
char-write-req 0x0012 03c90006000a0300010100ff000000000000 : Turns the bulb ON

It was found using a simple method that the RGB Values of 0 will turn the bulb off, thus the value 03c90006000a030101010000000000000000 and any value of RGB would turn the bulb on, such as a value of 03c90006000a0300010100ff0000000000000. This was also validated using the sniffed pcap.

That is all for this blog post. In the upcoming blog posts, we will look into additional BLE exploitation, Zigbee exploitation and lot more. Additional information below:


IoT Hacker and Ninja

Get IoT Security Training

IoT Pentesting Exploitation Training


analog modulation Android android application security android hands on security and exploitation training android security Apktool application auditing application security auditing appsec usa appwatch arduino nano arm ARM binaries ARM course ARM exploitation book ARM exploitation video training ARM gadgets ARM Training attify attify badge attify training best security practices biggest iot attacks of all time binwalk blackberry pentesting blackhat ble BLE attacks BLE dangers BLE hacking and exploitation BLE security issues BLE sniffing BLE vulnerabilities bleah bluetooth technology box brut Exception BtleJuice capture radio traffic career in cybersecurity CCTV cameras challenges in iot retail chroot cloud based mobile application security scanner consulting CTF cyber attacks cybersecurity Damn Vulnerable iOS App dangers of iot DDoS attacks devops digital modulation dumping memory embedded hacking expert Exploit ARM devices exploitation exploiting ble exploiting smart devices firmadyne firmware analysis toolkit firmware emulation Firmware hacking firmware reverse engineering Flare-on frida getting started with firmware hacking ghidra GSMA guide to ARM exploitation hacked security IP cameras hacked smart devices hackers hackfest hacking smart devices healthcare business protection against iot threats healthcare cyber security how can healthcare fight iot threats How Mirai botnet infects your device How Mirai works how retail can prevent cyber attacks how to exploit ble how to hack radio waves how to protect iot devices how to secure iot device IDA internet of things Internet of Things Security internet security ios application security ios security iot iot attacks iot bots, malwares iot device IoT Devices IoT Exploitation iot hacking iot hacks IoT hacks on ARM devices iot penetration testing iot pentest iot pentesting iot security IoT security guidelines iot security training iot threats iot threats to healthcare industry iotsecurity IP cameras jtag jtag debugging latest iot attacks learn ARM exploitation measures to prevent cyber attacks on healthcare organisations Mirai Botnet mirai history mobile app mobile application security mobile application security testing mobile security monitor iot devices Mozilla network security in retail ninja recon technique NIST offensive iot exploitation ola cabs owasp owasp appsec penetration testers penetration testing pentesting pentesting mobile apps phishing attacks powerofcommunity PrinterSecurity privacy protection profession professional qemu quizup radio communication protocol radio coomunication radio waves hacking recent ARM attacks recent cyber attacks recent iot attacks recent security camera attacks retail iot Reversing safety measures to protect privacy sdr secure coding guidelines security security cameras security challenges in retail IoT security in healthcare iot security issue security issues faced by e-retailers security services security training security vulnerability setup smart devices smart user security social networking spi steps to prevent iot attacks on healthcare surveillance cameras hijacked threat modeling tools to exploit ble training uart Understanding Mirai Botnet virus vulnerabilities discovered in popular IoT IP cameras vulnerabilities in internet connected cameras vulnerability vulnerable ARM devices What is mirai botnet? why choose career in cybersecurity writeups xposed hooking zigbee zigbee exploitation zigbee security zwave