Stealtooth: Breaking Bluetooth Security Abusing Silent

Automatic Pairing
Keiichiro Kimura∗ Hiroki Kuzuno
Kobe University Kobe University
Kobe, Japan Kobe, Japan
233t225t@gsuite.kobe-u.ac.jp kuzuno@port.kobe-u.ac.jp

Yoshiaki Shiraishi Masakatu Morii

Kobe University Kobe University
Kobe, Japan Kobe, Japan
zenmei@port.kobe-u.ac.jp mmorii@kobe-u.ac.jp
arXiv:2507.00847v1 [cs.CR] 1 Jul 2025

Abstract Keywords
Bluetooth is a pervasive wireless communication technology used Do, Not, Us, This, Code, Put, the, Correct, Terms, for, Your, Paper
by billions of devices for short-range connectivity. The security ACM Reference Format:
of Bluetooth relies on the pairing process, where devices estab- Keiichiro Kimura, Hiroki Kuzuno, Yoshiaki Shiraishi, and Masakatu Morii.
lish shared long-term keys for secure communications. However, 2025. Stealtooth: Breaking Bluetooth Security Abusing Silent Automatic
many commercial Bluetooth devices implement automatic pair- Pairing. In . xxxxxxxxxxxxxxxxxxxxxx , 13 pages. https://doi.org/xxxxxxx/
ing functions to improve user convenience, creating a previously nnnnnnn.nnnnnnn
unexplored attack surface.
We present Stealtooth, a novel attack that abuses unknown 1 Introduction
vulnerabilities in the automatic pairing functions in commercial Bluetooth has become one of the most ubiquitous wireless com-
Bluetooth devices to achieve completely silent device link key over- munication technologies, with billions of devices relying on it for
writing. The Stealtooth attack leverages the fact that Bluetooth au- short-range connectivity across personal computing, IoT, periph-
dio devices automatically transition to pairing mode under specific eral, and wearable applications[23–25]. The widespread adoption of
conditions, enabling attackers to hijack pairing processes without Bluetooth across diverse device types—from smartphones and lap-
user awareness or specialized tools. We also extend the attack into tops to headsets, keyboards, and industrial sensors—has made it a
the MitM Stealtooth attack, combining automatic pairing abuse critical component of modern digital infrastructure[4, 12, 17, 18, 20].
with power-saving mode techniques to enable man-in-the-middle As these devices increasingly handle sensitive data including audio
attacks. communications, personal files, and control commands, the security
We evaluate the attacks against 10 commercial Bluetooth de- of Bluetooth connections has become paramount.
vices from major manufacturers, demonstrating widespread vul- The security architecture of Bluetooth relies fundamentally on
nerabilities across diverse device types and manufacturers. Our the pairing process, where devices establish a shared long-term key
practical implementation requires only commodity hardware and (link key) that serves as the foundation for all subsequent secure
open-source software, highlighting the low barrier to entry for communications[3, 31]. The pairing process, typically requiring
attackers. user confirmation, creates a trusted relationship and secure ses-
We propose defenses both device and protocol levels, including sions between devices that should prevent unauthorized access
enhanced user notifications and standardized automatic pairing and impersonation attacks. Once paired, devices can automatically
guidelines. Our findings reveal a critical tension between security reconnect and establish secure sessions without repeated user in-
and usability, showing that current automatic pairing implemen- tervention, enabling the seamless connectivity that users expect
tations create systematic vulnerabilities. We responsibly disclosed from Bluetooth technology.
our findings to affected vendors, with several already releasing However, the convenience comes with inherent security risks.
patches. The automatic reconnection functionality, while improving user
experience, creates potential attack vectors that have not been
thoroughly investigated by the security community. Many commer-
cial Bluetooth devices, particularly audio peripherals like headsets
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx and speakers, implement automatic pairing functions designed to
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx simplify the user experience by reducing the need for manual inter-
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx vention during connection establishment. The automatic pairing
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx functions allow devices to transition automatically into pairing
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx states under certain conditions, such as when attempting to recon-
Conference’17, Washington, DC, USA nect to previously paired devices.
© 2025 xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
XXX XXXX 978-x-xxxx-xxxx-x/YYYY/MM Prior work has extensively investigated various Bluetooth se-
https://doi.org/xxxxxxx/nnnnnnn.nnnnnnn curity vulnerabilities, revealing critical weaknesses in different
Conference’17, July 2017, Washington, DC, USA Kimura et al.

aspects of the protocol. Notable attacks such as BIAS (Bluetooth Im- We summarize our main contributions as follows:
personation AttackS) [5] and Blacktooth [1] have primarily focused
on abusing authentication weaknesses, role switching vulnerabil- • We unveil and demonstrate a novel vulnerability in Bluetooth
ities, and encryption key negotiation flaws in the core Bluetooth automatic pairing functions that enables completely silent
specification. The BIAS attack abuses unidirectional authentica- link key overwriting and propose the Stealtooth attack,
tion procedures to enable device impersonation, while Blacktooth which abuses the new vulnerabilities to establish malicious
leverages the flexibility of Master/Slave role assignments to estab- Bluetooth sessions with victim devices. The Stealtooth attack
lish unauthorized connections. Additionally, attacks like KNOB [6] requires no specialized hardware, protocol manipulation, or
have demonstrated vulnerabilities in encryption key negotiation user interaction, making it highly practical and deployable
processes that can significantly weaken communication security. by adversaries with minimal technical skills.
Beyond Bluetooth-specific attacks, the broader domain of wire- • We also present the MitM Stealtooth attack, which extends
less communication security has seen significant research attention the Stealtooth attack into a MitM attack by combining auto-
in recent years. Studies on wireless device pairing vulnerabilities matic pairing mode abuse with existing power-saving mode
have identified various attack vectors, including acoustic eavesdrop- techniques. The MitM Stealtooth attack enables attackers
ping during pairing processes [13] and method confusion attacks to intercept, modify, and relay communications between
that exploit differences in authentication methods [28, 30]. Research victims while maintaining operational transparency.
on WiFi impersonation detection [2] and radio frequency finger- • We conduct a comprehensive evaluation of the Stealtooth
printing [22] has also contributed to our understanding of wireless attacks against 10 commercial Bluetooth devices from ma-
communication security challenges. jor manufacturers, demonstrating the widespread nature
However, despite this extensive body of work, prior attacks have of automatic pairing vulnerabilities. Our evaluation covers
not analyzed the security implications of automatic pairing func- diverse device types including headphones, earbuds, and
tions that are increasingly common in consumer Bluetooth devices. speakers from Sony, Anker, Google, Xiaomi, and other man-
This represents a significant gap in the current understanding of ufacturers. We also propose practical defenses to mitigate the
Bluetooth security, as automatic functionalities may introduce novel automatic pairing vulnerabilities and discuss the limitations
attack vectors that bypass traditional security assumptions about of our current attack implementation.
user involvement in the pairing process. Unlike specification-level
vulnerabilities that affect all compliant devices, automatic pairing Ethical Consideration and Responsible Disclosure: This work
behaviors vary significantly across manufacturers and device types, investigates unknown threats to widespread technologies and pro-
creating a diverse and previously unexplored attack surface. poses defenses. All experiments were conducted in-house; no exter-
Our work addresses this gap by investigating automatic pairing nal devices were attacked. We responsibly disclosed our findings
vulnerabilities for the first time, revealing a critical but overlooked to the related manufacturers. Several manufacturers acknowledged
attack surface in modern Bluetooth implementations. In this paper, our findings. Sony has already released patches for the vulnerable
we present Stealtooth, a novel attack that abuses previously unex- devices we reported, with an acknowledgment to us.
plored vulnerabilities in Bluetooth’s automatic pairing functions. The remainder of this paper is organized as follows: Section
The Stealtooth attack achieves completely silent and stealthy link 2 provides background on Bluetooth technology and connection
key overwriting by abusing the automatic pairing functions im- establishment processes. Section 3 defines our threat model and
plemented in commercial Bluetooth devices. The Stealtooth attack attack assumptions. Section 4 presents the detailed design of both
leverages the fact that many Bluetooth audio devices automatically the Stealtooth and MitM Stealtooth attacks. Section 5 describes
transition to pairing functionalities when they cannot establish con- our implementation approach. Section 6 presents comprehensive
nections with previously paired devices, creating an opportunity evaluation results against real-world devices. Section 7 discusses
for attackers to hijack these pairing processes without any user defense mechanisms and limitations. Section 8 reviews related work,
awareness. and Section 9 concludes the paper.
We demonstrate that the Stealtooth attack can be extended into
a man-in-the-middle (MitM) attack, called the MitM Stealtooth 2 Background
attack, by combining it with existing techniques that abuse Blue-
tooth power-saving modes. The MitM Stealtooth attack enables 2.1 Bluetooth
attackers to position themselves between communicating devices Bluetooth is a short-range wireless communication technology
and intercept, modify, or relay communications while maintaining widely used by billions of personal computing, IoT, peripheral, and
the appearance of normal operation to the victims. wearable devices for low-power communication. The technology
The implications of our findings are significant for the broader operates in the 2.4GHz ISM band and enables devices to exchange
Bluetooth ecosystem. The Stealtooth attacks work against commer- commands and data such as keyboard/mouse inputs, audio, and
cially available devices without requiring any specialized hardware files through secure communication channels.
or deep protocol knowledge, making them practical threats that The Bluetooth technology consists of two main variants: Blue-
could be deployed by adversaries with minimal technical skills. Fur- tooth Basic Rate/Extended Data Rate (BR/EDR), also known as
thermore, the silent nature of the attacks makes them particularly Bluetooth Classic, and Bluetooth Low Energy (BLE)[26]. This work
dangerous, as users have no indication that their devices have been focuses on Bluetooth BR/EDR, which we refer to simply as Blue-
compromised. tooth throughout this paper. Bluetooth uses frequency hopping
Breaking Bluetooth Security Abusing Silent Automatic Pairing Conference’17, July 2017, Washington, DC, USA

spread spectrum across 79 channels, each with a bandwidth of 1 Bob (Slave) A link key shared between Alice and Bob Alice (Master)
MHz.
The Bluetooth system architecture comprises two main com-
ponents: the Bluetooth Controller and the Bluetooth Host[11].
The Controller implements the physical and logical layers in the
Bluetooth chip, while the Host implements the L2CAP layer and
application-oriented protocols in the device operating system. These
Temporary disconnection due to sleep mode
components communicate through the Host Controller Interface Bob (Slave) Alice (Master)
(HCI). Z ZZ
Z
In Bluetooth networks, devices are organized in a piconet struc-
ture where one device acts as the Master and up to seven other
devices serve as Slaves. The Master provides the reference clock
signal to synchronize all devices in the network. Importantly, device
roles are not fixed—any Bluetooth device can initiate a connection
and become the Master, regardless of its functionality or previ- Mallory Mallory
ous role. For example, Bluetooth headsets, typically slave devices, (impersonates Alice) (impersonates Bob)
can take master roles and proactively initiate connections with
smartphones. Devices can also switch Master-Slave roles after es- Figure 1: Threat model: Alice and Bob share a link key in
tablishing a piconet. advance. Mallory does not know the link key pre-shared
between the victims. Mallory aims to establish Bluetooth
2.2 Bluetooth Pairing And Connection sessions with Alice and Bob and maliciously control commu-
Establishing communication between Bluetooth devices involves nications and operations between Alice and Bob.
two distinct processes: pairing and connection establishment[16].
These processes implement multiple security mechanisms including
encryption, authentication, and authorization to protect sensitive used for Legacy Secure Connections and provides unilateral authen-
data transmission. tication where typically only the Master authenticates the Slave[3].
2.2.1 Pairing Process. Pairing is performed when two Bluetooth de- Secure Authentication is used for Secure Connections and provides
vices meet for the first time and need to establish a shared long-term mutual authentication where both devices must prove possession
key, known as the link key (𝐾𝐿 )[10]. The most secure and wide- of the shared link key.
spread pairing mechanism is Secure Simple Pairing (SSP), which
Encryption Key Negotiation. : After successful authentication,
uses Elliptic Curve Diffie-Hellman (ECDH) for key agreement[7,
devices negotiate an encryption key for the session[14]. The entropy
26, 27, 32]. If both devices support Secure Connections, SSP is per-
of this encryption key ranges from 1 to 16 bytes according to the
formed on the P-256 curve; otherwise, it uses the P-192 curve[5].
key length negotiation procedure. For Secure Connections, AES
During pairing, user confirmation is typically required when a new
CCM encryption is used, while Legacy Secure Connections employ
device attempts to pair with the user’s device to prevent unautho-
the 𝐸 0 stream cipher[1, 6].
rized connections. The pairing process generates a link key that
serves as the foundation for all future secure connections between Profile Management. : Bluetooth profiles define the protocols
the two devices. This key is stored on both devices and remains and functions required for specific device interactions[1]. Common
valid for subsequent connection attempts, eliminating the need to profiles include the Advanced Audio Distribution Profile (A2DP)
repeat the pairing process. for audio communication, Human Interface Device Profile (HID)
for keyboards and mice, and Phone Book Access Profile (PBAP)
2.2.2 Connection Establishment. Once devices are paired and share
for contact access. Devices can implement multiple profiles simul-
a link key, they can establish multiple secure connections using
taneously and advertise their available services using the Service
different session keys derived from the long-term key and public
Discovery Protocol (SDP).
parameters. However, the Bluetooth specification also supports
temporary connections between unpaired devices for basic com-
munication, service discovery, and legacy compatibility purposes. 3 Threat Model
The connection establishment process involves several phases: In this section, we define our system and attacker models (Figure
1), as well as the notation we use in the rest of the paper.
Initial Connection Setup: The Master device first queries the Slave
to obtain device name and features, then sends a Connection Re-
3.1 System Model
quest to initiate connection establishment. This process leverages
the flexible role assignment in Bluetooth, where the device initiating We consider Alice and Bob (i.e., victims) who communicate securely
the connection becomes the Master. via Bluetooth. Alice and Bob represent arbitrary Bluetooth devices
and support arbitrary Bluetooth profiles (e.g., HID (Human Inter-
Authentication. : Bluetooth provides two authentication mecha- face Device Profile), A2DP (Advanced Audio Distribution Profile),
nisms depending on device capabilities. Legacy Authentication is AVRCP (A/V Remote Control Profile)).
Conference’17, July 2017, Washington, DC, USA Kimura et al.

Without loss of generality, we assume Alice is the master and ends, Alice and Bob turn off their power. Next, Trent attempts to
Bob is the slave. We assume the victims have previously paired and connect with Bob to listen to music playing on the smartphone.
share a link key. However, if Mallory impersonating Alice exists within Bob’s Blue-
tooth communication range, Bob improperly authenticates with
3.2 Attacker Model Mallory before receiving the connection request from Trent. This
We consider an attacker Mallory who aims to impersonate Alice, reproduction scenario is the scenario in which we discovered the
establish a secure connection with Bob, and use Bluetooth pro- new vulnerability.
files to maliciously send data to Bob. Furthermore, Mallory also
aims to impersonate Bob, establish a secure connection with Alice, 4.1.3 Impact. The Stealtooth attack has a severe impact on Blue-
and use the Bluetooth profile access permissions to control Alice’s tooth security and privacy. The Stealtooth attack can easily over-
operations. write the link key required for Bluetooth communication and ma-
Mallory must be physically present within the Bluetooth range liciously hijack Bluetooth sessions between victims. Furthermore,
of the victims. Mallory does not know about the secure pairing using the hijacked session, Mallory can decrypt data transmitted
process between the victims or their link keys. Mallory can capture from victims or inject authorized messages to victims. Importantly,
unencrypted Bluetooth packets and recognize public information the attack has high stealthiness because pairing is executed without
such as the victims’ Bluetooth names and addresses. triggering any user operations or notifications, despite the fact that
Mallory has never previously paired with Bob, meaning Mallory
3.3 Notations holds no information about Bob whatsoever. Additionally, the at-
tack strategy used by the Stealtooth attack is threatening because it
In this paper, we denote the link key shared between Alice and Bob
is completely unaffected by the presence or absence of SSP settings
as 𝐿𝐾𝐴𝐵 . Additionally, we denote the link key shared between Mal-
during Alice’s or Bob’s Bluetooth session establishment. Regarding
lory and Alice as 𝐿𝐾𝑀𝐴 , and the link key shared between Mallory
the reproduction of the vulnerability used in the Stealtooth attack, it
and Bob as 𝐿𝐾𝑀𝐵 .
requires neither special privileges or tools, nor the implementation
and execution of any specific code.
4 The Stealtooth Attack
4.1 Attack Description
4.2 Attack Root Causes
4.1.1 Strategy. The Stealtooth attack abuses a new vulnerability
The root cause of the Stealtooth attack lies in the automatic pair-
that exists in Bluetooth’s pairing mode, allowing Mallory to es-
ing mode functionality implemented in Bob, which transitions to
tablish a completely stealthy Bluetooth session with Bob. In this
pairing mode without requiring user intervention. Hereafter, this
section, we explain the attack strategy of the Stealtooth attack.
functionality will be referred to as “automatic pairing mode”. Bob’s
The Stealtooth attack abuses a new improper authentication
automatic pairing mode is triggered when Bob attempts to recon-
vulnerability present in Bluetooth audio devices (i.e., Bob). The
nect with Alice but cannot confirm the connection. Mallory abuses
sequence of the vulnerability is shown in Figure 2 and Figure 3. The
this transition to automatic pairing mode to stealthily overwrite
vulnerability is such that when Mallory is impersonating a device
the link key previously shared between Alice and Bob, circumvent-
paired with Bob (i.e., Alice), even if Bob is not explicitly in pairing
ing both user intervention and notifications. The Stealtooth attack
mode and without requiring any operations from Bob’s user, Bob
represents the first attack that stealthily overwrites link keys by
will actively (or passively, depending on the device) connect and
abusing the vulnerability in automatic pairing mode.
pair with Mallory. The attack strategy using the new vulnerability
The link key overwrite scenario due to automatic pairing mode
is as follows. First, Mallory changes her own Bluetooth address and
vulnerabilities can be divided into the following two patterns (Patt
adapter name to match Alice’s settings. Next, Mallory sets the status
ern#1 and #2) based on the difference in connection initiators for
of her Bluetooth adapter to Discoverable so that it can be detected
overwriting the link key.
by third-party devices[29]. After setting the adapter status, Mallory
waits until Bob has been inactive for a certain period of time or
is manually powered off. Subsequently, when Alice is powered off Pattern#1: Bob is the connection initiator. Figure 2 shows
or her Bluetooth adapter status is set to off, and Bob is powered the vulnerability sequence of improper authentication due to au-
on again, Bob will actively (or passively, depending on the device) tomatic pairing mode when the connection initiator is Bob. We
connect and pair with Mallory. At this time, during the pairing assume that Alice and Bob are pre-paired and communicate se-
process, there are no notifications or permission requests to the curely. Meanwhile, Mallory impersonates Alice and makes herself
users of Bob or Alice, thereby achieving a completely stealth attack. discoverable to other Bluetooth devices. We consider the case where
Bob’s Bluetooth session with Alice is disconnected, and Alice is also
4.1.2 Reproducibility. The Stealtooth attack is highly reproducible. unavailable for connection. In this scenario, when Bob recovers and
To demonstrate that the attack is realistic, we describe a reproduc- restores the Bluetooth session, Bob attempts to connect to Mallory
tion scenario. In the reproduction scenario, we consider a smart- impersonating Alice. Since Bob misidentifies Mallory as Alice, de-
phone, Trent, which supports Bluetooth. Also, we assume that Alice vice authentication fails due to the link key mismatch between Bob
is a laptop supporting Bluetooth, and Bob has already paired with and Mallory. However, regardless of the device authentication result,
both Alice and Trent. For example, Alice and Bob establish a Blue- Bob actively executes pairing while still misidentifying Mallory as
tooth session for a video conference. After the video conference Alice through automatic pairing mode. The connection initiator
Breaking Bluetooth Security Abusing Silent Automatic Pairing Conference’17, July 2017, Washington, DC, USA

Mallory (impersonates Alice) Bob Alice Mallory (impersonates Alice) Bob Alice

Spoofing LKAB is shared between Alice and Bob, not with Mallory Spoofing LKAB is shared between Alice and Bob, not with Mallory

Mallory impersonates Alice Mallory impersonates Alice

Alice and Bob communicate securely with LKAB Alice and Bob communicate securely with LKAB

Set Bluetooth adapter state to discoverable Bob temporarily terminates the sessions with Alice Set Bluetooth adapter state to discoverable Bob temporarily terminates the sessions with Alice

Alice turns off herself Alice turns off herself

or disable her Bluetooth adapter or disable her Bluetooth adapter

Improver Authentication Abusing Automatic Pairing Mode Improver Authentication Abusing Automatic Pairing Mode

Bob restores the terminated sessions Bob restores the terminated sessions

Bob triggers connection and authentication automatically and silently Bob triggers connection,
but the connection is aborted due to the authentication failure

LKMB is shared between Mallory and Bob, not with Alice Mallory recognizes Bob's Bluetooth address
by the above connection request

LKAB invalidated by Bob

Mallory triggers connection and authentication automatically and silently

Alice turns on herself

or enables the Bluetooth adapter
LKMB is shared between Mallory and Bob, not with Alice

Alice can not restores the terminated sessions with Bob

LKAB invalidated by Bob

Alice turns on herself

Figure 2: Improper Authentication Sequences (Bob is the con- or enables the Bluetooth adapter

nection initiator): We assume that Alice and Bob are paired,

Alice can not restores the terminated sessions with Bob
and Mallory impersonates Alice and is discoverable to other
devices. When Bob’s Bluetooth session with Alice is discon-
nected and Alice is also unavailable for connection, Bob, upon Figure 3: Improper Authentication Sequences (Mallory is the
being powered on again, attempts to connect to Mallory im- connection initiator): Considering the case where Bob is pow-
personating Alice and actively executes pairing with Mallory ered on again under the same assumptions as Figure 2, Bob
through automatic pairing mode. To establish a malicious attempts to connect to Mallory impersonating Alice, but dis-
Bluetooth session with Bob, Mallory only needs to imperson- connects from Mallory due to device authentication failure
ate Alice and wait for Bob’s recovery. caused by link key mismatch. However, through Bob’s con-
nection attempt, Mallory recognizes Bob’s Bluetooth address.
At this point, when Mallory requests a connection to Bob
depends on the type of Bob device - the initiator may be either Bob
while still impersonating Alice, Bob in automatic pairing
or Mallory.
mode pairs with Mallory.
Pattern#2: Mallory is the connection initiator. Figure 3 shows
the vulnerability sequence of improper authentication due to auto-
matic pairing mode when the connection initiator is Mallory. Under 4.3 The MitM Stealtooth Attacks
the same assumptions as Pattern#1, we consider the case where While the Stealtooth attack is completely stealthy, victims may still
Bob attempts to restore the Bluetooth session again. Bob tries to have a chance to notice they are under attack. For example, if an
connect to Mallory impersonating Alice. However, Mallory does not attacker launches the Stealtooth attack when the victim wants to
know the link key shared between Alice and Bob. Therefore, due to use their Bluetooth headset, the victim will find they cannot connect
device authentication failure caused by the link key mismatch be- to their headset and have an opportunity to discover the attack. To
tween Bob and Mallory, Bob disconnects the temporary connection make the attack more concealed, we extend the Stealtooth attack
with Mallory and transitions to automatic pairing mode. Mean- to a MitM attack.
while, through Bob’s active connection attempt, Mallory recognizes To extend the Stealtooth attack to a MitM attack, we employ
Bob’s Bluetooth address. At this point, when Mallory requests a the Breaktooth attack proposed by Kimura et al. in 2025, which
connection to Bob while still impersonating Alice, Bob in automatic hijacks device operations using Bluetooth power-saving mode. In
pairing mode pairs with Mallory regardless of the device authentica- this section, we first provide an overview of the Breaktooth attack.
tion result and without requiring security-level verification during Then, we describe the attack strategy of the MitM Stealtooth attack,
pairing. which combines the Stealtooth and Breaktooth attacks.
The malicious establishment of Bluetooth sessions and link key
overwriting through the above two patterns (Pattern#1 and #2) 4.3.1 The Breaktooth Attack. In 2025, Kimura et al. proposed Break-
both abuse the automatic pairing mode that devices secretly tran- tooth, a device hijacking attack that abuses Sleep mode, a Bluetooth
sition to. To the best of our knowledge, there have been no prior power-saving mode[15]. The Breaktooth attack is the first attack to
attacks against Bluetooth that focused on the vulnerabilities of hijack victim device operations using Sleep mode. The Breaktooth
automatic pairing mode. attack abuses two vulnerabilities in Sleep mode: Vuln.#1: the lack
Conference’17, July 2017, Washington, DC, USA Kimura et al.

of security notifications when Bluetooth sessions are disconnected, Mallory (impersonates Bob) Bob Alice

and Vuln.#2: the vulnerability where the Master transitions to a Step#1-1: Spoofing LKAB is shared between Alice and Bob, not with Mallory
state that accepts connection requests from Slaves after Bluetooth
Mallory impersonates Bob
session disconnection. The attacker abuses Vuln.#1 and #2 to hi- Alice and Bob communicate securely with LKAB

jack Bluetooth sessions between victims without requiring any L2ping echo request

prior knowledge of link keys between victims, special privileges, L2ping echo request

or specialized tools. Furthermore, using the hijacked session as a

Step#1-2: Session Hijacking
starting point, the attacker gains complete control over the victim
Disconnection process is performed
device operations. between Alice and Bob due to Bluetooth sleep mode
L2ping echo request
The attack strategy of the Breaktooth attack consists of the
L2ping echo response
following four steps (Step#1-1 to #1-4):
Step#1-1. Spoofing The attacker changes their Bluetooth name Mallory triggers connection establishment

and address to impersonate the victim’s Slave.

Step#1-3: Link Key Hijacking
Step#1-2. Session Hijacking The attacker, impersonating the
victim’s Slave from Step#1-1, detects the temporary discon- Mallory triggers authentication with low security level

nection state of Bluetooth between victims due to Sleep

mode, and at this moment sends a connection request to the LKMA is shared and LKAB invalidated

Master as the victim’s Slave to hijack the Bluetooth session

Step#1-4: Command Injection / Audio Eavesdropping
between victims.
Mallory and Alice establish HID, A2DP, and AVRCP connections
Step#1-3. Link Key Hijacking After Step#1-2, the attacker,
Command injection
while still impersonating the victim’s Slave, sends a pairing
Audio
request to the Master specifying low security-level authen-
tication functions and generates a new link key between
them.
Step#1-4. Command Injection Exploiting the link key hijacked Figure 4: The Breaktooth attack sequences: The Breaktooth
in Step#1-3, the attacker uses sensitive profiles to control attack abuses a vulnerability where Alice transitions to a
the victim Master’s operations. For example, the attacker state that accepts reconnection requests from Bob after Bob
uses the Human Interface Device profile to inject malicious enters Sleep mode as the attack starting point. Mallory de-
commands into the victim’s Master. tects Sleep mode from Alice’s response behavior to malicious
l2ping echo requests and abuses the Sleep mode vulnerabil-
The sequence of the Breaktooth attack is shown in Figure 4.
ity to hijack the Bluetooth session between Alice and Bob.
To hijack sessions by abusing Sleep mode vulnerabilities, the at-
tacker needs to remotely and secretly monitor the state of Bluetooth
sessions between victims. The Breaktooth attack achieves this by
maliciously using l2ping[9, 19, 21, 33]. Kimura et al. analyzed the
echo request and response behavior of l2ping, enabling attack-
ers to remotely and secretly recognize Bluetooth sessions between Step#2-3. Link Key Hijack After the session hijack attack, Mal-
victims. lory sends a pairing request to Alice while impersonating
Kimura et al. developed a tool to demonstrate the Breaktooth Bob, generating a new link key between them (𝐿𝐾𝑀𝐴 ). This
attack and evaluated the attack against commercial Bluetooth key- invalidates 𝐿𝐾𝐴𝐵 . Mallory does this by bypassing the PIN
boards, mice, and audio devices that support Sleep mode. The eval- code authentication.
uation results showed that attackers could control the operations Step#2-4. Improper Authentication Mallory, impersonating
of Masters (e.g., laptops, smartphones). Additionally, Kimura et al. Alice, abuses the authentication vulnerability described in
released the developed tool as open-source. Section 4.1.1 and actively triggers Bob, who has returned
from the sleep mode, to perform authentication, generating
4.3.2 MitM Attacks Combining Stealtooth And Breaktooth. This and sharing 𝐿𝐾𝑀𝐵 between Mallory and Bob.
section introduces the MitM Stealtooth attack strategy. Figure 5 Step#2-5. MitM Attacks Up to the improper authentication
shows the details of the attack strategy. The strategy consists of step, Mallory shares the link key 𝐿𝐾𝑀𝐴 with Alice and the
the following five steps (Step#2-1 to #2-5): link key 𝐿𝐾𝑀𝐵 with Bob. Therefore, Mallory becomes a
Step#2-1. Spoofing Mallory changes her Bluetooth name and MitM, capable of intercepting and manipulating the com-
its address to impersonate Bob. The same applies when Mal- munication between Alice and Bob. For example, Mallory,
lory impersonates Alice. impersonating Bob, establishes a connection with Alice using
Step#2-2. Session Hijack Mallory, impersonating Bob, detects both the A2DP and AVRCP profiles, while Mallory, imper-
the temporary disconnection state of Bluetooth between sonating Alice, establishes a connection with Bob using the
Alice and Bob by the sleep mode, and at this moment sends a A2DP profile. In this scenario, Mallory can secretly eaves-
connection request to Alice as Bob, hijacking the Bluetooth drop on the audio data transmitted between Alice and Bob.
session between Alice and Bob.
Breaking Bluetooth Security Abusing Silent Automatic Pairing Conference’17, July 2017, Washington, DC, USA

Alice Mallory (impersonates Alice) Mallory (impersonates Alice) Bob

LKAB is shared between Alice and Bob, not with Mallory

Alice and Bob communicate securely with LKAB

Spoofing
Mallory impersonates Alice Mallory impersonates Bob

L2ping echo request

L2ping echo request

Session Hijacking Abusing Bluetooth Power-Saving Mode

Disconnection process is performed between Alice and Bob due to Bluetooth sleep mode

L2ping echo request

L2ping echo request

Mallory triggers connection establishment

Link Key Hijacking Improper Authentication

Mallory triggers authentication with low security level Bob wakes up from the sleep mode

Bob (or Mallory) triggers connection and authentication automatically and silently
LKMA is shared and LKAB invalidated

LKMB is shared

Man-in-the-Middle Attacks

Mallory and Alice establish HID, A2DP, and AVRCP connections Mallory and Bob establish A2DP connections

Audio

Share the audio data

Command injection Audio

Figure 5: The MitM Stealtooth attack strategy: Alice and Bob have already paired and share 𝐿𝐾𝐴𝐵 . If Bob remains inactive
for a certain period, Bob terminates the session between Alice and Bob. After the termination, Mallory triggers connection
establishment and low-level authentication. After the authentication, Mallory and Alice share 𝐿𝐾𝑀𝐴 . On the other hand, when
Bob restores the session, Mallory abuses the authentication vulnerability to pair with Bob, and shares 𝐿𝐾𝑀𝐵 with Bob. Finally,
Mallory stealthily proxies the communication between Alice and Bob as a MitM abusing 𝐿𝐾𝑀𝐴 and 𝐿𝐾𝑀𝐵 .

5 Implementation As described in Section 4.3.2, among the attack strategies of the

As described in Section 4.1.3, the execution of the Stealtooth attack MitM attack, Step#2-1 to Step#2-3 are identical to the Breaktooth
requires no specific attack code whatsoever. Therefore, this chapter attack. Therefore, we execute them using the open-source tool of the
focuses on the implementation of the MitM Stealtooth attack. Breaktooth attack. Additionally, Step#2-4 can be executed without
requiring implementation. Therefore, this chapter describes the
Conference’17, July 2017, Washington, DC, USA Kimura et al.

implementation details for demonstrating the man-in-the-middle Table 1: Specifications of devices used as Mallory in the Steal-
attack in Step#2-5. tooth attack: In case of the MitM Stealtooth attack evaluation,
We implement the following two systems to intercept and relay two devices are required as Mallory - one impersonating Al-
audio data transmitted and received using A2DP between victim ice and one impersonating Bob, but both use devices with
Bluetooth devices. the same specifications.

A2DP Sender: A2DP Sender operates on Mallory imperson- Device Model Raspberry Pi 4 Model B
ating Bob. A2DP Sender forwards audio data received from Operating System Raspberry Pi OS
Alice to the other Mallory impersonating Alice. System 32bit
Debian Version 11 Bullseye
A2DP Receiver: A2DP Receiver operates on Mallory imper- Kernel Version 6.1
sonating Alice. A2DP Receiver sends audio data forwarded BlueZ Version 5.55
from A2DP Sender to Bob. Bluetooth Version 5.0

A2DP Sender Implementation. A2DP Sender intercepts A2DP Table 2: Specifications of device used as Alice in the Break-
streams transmitted from Alice and forwards them to A2DP Re- tooth attack
ceiver via TCP socket communication. For obtaining A2DP streams,
we utilize the Bluetooth module of PulseAudio server. PulseAudio Manufacturer Model Operating System Bluetooth Version
server cooperates with the A2DP stack provided by BlueZ to acquire Microsoft Surface Laptop 4 Windows 11 5.1
Bluetooth audio data as PCM data.
To ensure session stability, we implement an independent thread
that monitors TCP socket status and attempts reconnection with Additionally, we use one device as Alice, as shown in Table 2.
exponential backoff when disconnection is detected. We also man- For Bob, we use 10 commercial Bluetooth headsets as shown in
age captured PCM data with queue buffers to mitigate the effects Table 3.
of network delays.
6.2 Attack Scenarios
A2DP Receiver Implementation. A2DP Receiver sends audio data To evaluate the effectiveness of the MitM Stealtooth attack as a
forwarded from A2DP Sender to Bob using A2DP. This system op- man-in-the-middle attack, we define the following three attack
erates as a TCP socket server and utilizes the BlueZ stack through scenarios: AS#1, #2, #3.
PulseAudio server for audio stream transmission. Using PulseAu- AS#1. Interception of communication: Mallory attempts to
dio enables retransmission of intercepted audio data as A2DP- eavesdrop on audio data transmitted from Alice to Bob.
compliant audio streams. Additionally, by leveraging the audio AS#2. Tampering with communication: Mallory evaluates
processing stack of PulseAudio and BlueZ, we implement conver- whether it is possible to send different audio data to Bob
sion from PCM data to audio codecs used in A2DP (e.g., SBC) and instead of the audio data received from Alice.
stable audio stream transmission. AS#3. Proxying communication: Mallory evaluates whether
Our implementation assumes the BlueZ stack on the Linux kernel. audio data received from Alice can be seamlessly forwarded
We adopted BlueZ for attack demonstration because it is the most to Bob.
widely adopted open-source Bluetooth protocol stack.
6.3 Setup
6 Evaluation To evaluate the Stealtooth attack, we first pair the victims Alice and
In this section, we describe devices used for the Stealtooth attack Bob and establish a Bluetooth session. Next, the attacker Mallory
evaluation and attack scenarios to evaluate the attack. We also sets one device’s Bluetooth name and address to match those of
present our evaluation setup and results. Alice.
Figure 6 shows the evaluation model of the MitM Stealtooth at-
tack. For the evaluation of the MitM attack, after pairing the victims
6.1 Attack Devices Alice and Bob and establishing a Bluetooth session, we keep Bob in
In the Stealtooth attack evaluation, we use a Raspberry Pi 4 Model an inactive state for a certain period until Bob enters idle mode. The
B device as Mallory, as shown in Table 1. In the MitM Stealtooth attacker Mallory sets one device’s Bluetooth name and address to
attack evaluation, we use two Raspberry Pi shown in Table 1. match those of Bob, and the other to match those of Alice. We then
The Raspberry Pi runs on Raspberry Pi OS (11 Bullseye) with install the attack tool “Breaktooth” on both Mallory devices. The
Linux OS kernel version 6.1. This operating system comes with Mallory impersonating Alice remotely and secretly monitors the
BlueZ 5.55 pre-installed. We employ hciconfig for HCI configu- Bluetooth session state between Alice and Bob until Bob transitions
ration commands and hcitool for Bluetooth device scanning and to idle state. The Bluetooth session state can be monitored using
enumeration operations[8]. Both commands are included in the Breaktooth’s functionality. Additionally, to transmit audio data in-
BlueZ Bluetooth stack and are readily available upon OS instal- tercepted from Alice to the other Mallory, we launch the A2DP
lation. Additionally, Bluetooth adapter support is built into the Sender implemented in Section 5. Meanwhile, the Mallory imper-
Raspberry Pi by default. Consequently, the hardware/software cost sonating Bob sets its Bluetooth adapter’s Discoverable parameter
of the Stealtooth attack is low. to yes, making the Bluetooth adapter detectable. Furthermore, to
Breaking Bluetooth Security Abusing Silent Automatic Pairing Conference’17, July 2017, Washington, DC, USA

Table 3: Specifications of devices used as Bob

Manufacturer Model Bluetooth Version Chip Producer Chip Model

Sony WH-1000XM5 5.2 MediaTek MT2822
Sony WH-1000XM4 5.0 MediaTek MT2811
Sony WF-1000XM5 5.3 - -
Sony WF-1000XM4 5.2 MediaTek MT2822S
Anker Soundcore Space One 5.3 - -
EDIFIER W820NB 5.0 - -
TOZO NC2 5.2 - -
Xaomi Redmi Buds 6 Pro 5.3 - -
Google Pixel Buds Pro 5.0 - -
BOSE Bose QuietComfort Ultra Headphones 5.3 Qualcomm QCC5181

Mallory (impersonates Bob) Mallory (impersonates Alice) Notably, the vulnerability appears to be implementation-specific
Role: Attacker Role: Attacker
Type: Raspberry Pi 4 Model B Type: Raspberry Pi 4 Model B
rather than chip-specific, as devices with similar MediaTek chipsets
connect via sockets
Status: Discoverable
A2DP Sender A2DP Receiver
(MT2822 and MT2822S) exhibit different behaviors. The successful
attacks demonstrate complete link key overwriting without any
Breaktooth attack toolkit Breaktooth attack toolkit
user notification or intervention, confirming the silent nature of
the automatic pairing mode abuse.
Monitoring the Bluetooth session
6.4.2 MitM Stealtooth Attack Results. The MitM Stealtooth attack
Alice Bob results are also shown in Table 4. Among the 8 devices vulnerable
Role: Victim, Master Role: Victim, Slave to the Stealtooth attack, 4 devices are also vulnerabile to the MitM
Type: Laptop Type: Bluetooth audio devices
Pair via Bluetooth Stealtooth attack.
For attack scenario AS#1 (interception of communication), the
MitM Stealtooth attack successfully demonstrated the ability to
Figure 6: Evaluation model for the MitM Breaktooth at-
intercept audio data transmitted from Alice to Bob. The attack cap-
tack: Alice and Bob are paired in advance. Meanwhile, both
tured and recorded the intercepted audio as WAV files, confirming
Raspberry Pis operating as Mallory have the attack toolkit
the compromised confidentiality of Bluetooth communications.
installed, which has developed in Section ??. Additionally,
Attack scenario AS#2 (tampering with communication) was
A2DP Sender and A2DP Receiver implemented in Section ??
achieved against Sony WH-1000XM5 and WF-1000XM5 devices.
are launched, and communication is established between the
The attack successfully demonstrated that while Mallory inter-
two Mallory devices in advance
cepts audio data from Alice, Mallory can simultaneously play pre-
prepared audio data to Bob, effectively tampering with the com-
receive audio data transmitted from the A2DP Sender, we launch munication content. For Sony WH-1000XM4 and WF-1000XM4,
the A2DP Receiver implemented in Section 5. where Mallory serves as the connection initiator, AS#2 was achieved
only after establishing the connection, disconnecting briefly, and
6.4 Results reconnecting to properly grant profile access permissions.
In this section, we present the evaluation results of our Stealtooth Attack scenario AS#3 (proxying communication) was partially
and MitM Stealtooth attacks against commercial Bluetooth devices. achieved for the four tested devices. While Mallory impersonating
Bob could transfer intercepted audio data from Alice via A2DP
6.4.1 Stealtooth Attack Results. The Stealtooth attack evaluation Sender, and Mallory impersonating Alice could receive the trans-
results are shown in Table 4. We successfully demonstrated the ferred audio data with A2DP Receiver, the received audio data could
Stealtooth attack against 8 out of 10 tested devices, including Sony not be properly encoded into the appropriate audio codec when
WH-1000XM5, WH-1000XM4, WF-1000XM5, WF-1000XM4, Anker transmitting to Bob, preventing seamless audio playback.
Soundcore Space One, EDIFIER W820NB, and TOZO NC2. The
attack was not successful against Google Pixel Buds Pro and BOSE 6.4.3 Impact Assessment. The evaluation results demonstrate that
QuietComfort Ultra Headphones. abusing automatic pairing vulnerabilities enables attackers to be-
The results reveal two distinct patterns based on the connection come MitM adversaries in Bluetooth communications between
initiator. For Sony WH-1000XM5 and WF-1000XM5, Bob acts as the victims. The successful achievement of attack scenarios AS#1 and
connection initiator (Pattern#1), actively attempting to reconnect AS#2 confirms that the MitM Stealtooth attack significantly com-
with Alice and subsequently pairing with Mallory through auto- promises the confidentiality, integrity and availability of Bluetooth
matic pairing mode. For the remaining vulnerable devices, Mallory communications.
serves as the connection initiator (Pattern#2), where Bob transi- The widespread nature of these vulnerabilities across major
tions to automatic pairing mode after failed authentication attempts, manufacturers and different device types indicates that automatic
enabling Mallory to establish malicious connections. pairing implementations represent systematic security weaknesses
Conference’17, July 2017, Washington, DC, USA Kimura et al.

Table 4: Stealtooth attack evaluation results

Model (Bob) Stealtooth Attack MitM Stealtooth Attack

Attack Connection Initiator AS#1 AS#2 AS#3
WH-1000XM5 Bob
WH-1000XM4 Mallory
WF-1000XM5 Bob
WF-1000XM4 Mallory
Soundcore Space One Mallory - - -
W820NB Mallory - - -
NC2 Mallory - - -
Redmi Buds 6 Pro Mallory - - -
Pixel Buds Pro - - - -
Bose QuietComfort Ultra Headphones - - - -
The Stealtooth attack is achieved.
The Stealtooth attack is not achieved.
Attack scenario is achieved.
Attack scenario is partially achieved.
Attack scenario is not achieved.

rather than isolated flaws. The fact that 80% of tested devices were 7.1.2 Protocol-Level Improvements. At the protocol level, the Blue-
vulnerable to the Stealtooth attack, with 40% were vulnerable to tooth specification should include mechanisms to validate the legit-
the MitM attacks, underscores the critical impact of these findings imacy of link key replacement during automatic pairing scenarios.
on the broader Bluetooth ecosystem. This could involve cryptographic proofs or time-based validation
The results also reveal that the success of automatic pairing tokens that ensure only legitimate devices can replace existing pair-
exploitation depends heavily on device-specific implementations, ings. Such improvements would require careful consideration of
suggesting that manufacturers have varying approaches to auto- backward compatibility and the diverse ecosystem of Bluetooth
matic pairing that create inconsistent security behaviors across the implementations.
market. Furthermore, the Bluetooth SIG should establish clear guide-
lines for automatic pairing implementations to ensure consistent
security behaviors across different manufacturers and device types.
7 Discussion The current lack of standardization in automatic pairing behavior
In this section, we propose defenses against the Stealtooth attack. creates inconsistent attack surfaces and makes it difficult to develop
We also describe limitations of this work and future work. comprehensive defensive strategies.

7.1 Defense Against the Stealtooth Attack

7.2 Limitations and Future Work
To defend against the Stealtooth attack, we propose several defenses
7.2.1 Current Limitations. Our current implementation and evalua-
that can be implemented at different levels of the Bluetooth stack.
tion have several limitations that constrain the scope of our findings.
While we evaluated 10 commercial Bluetooth devices from major
7.1.1 Device-Level Defenses. The most immediate defense against manufacturers, the automatic pairing behaviors vary significantly
the Stealtooth attack lies in improving the transparency and control across device types and firmware versions. The diversity of im-
of automatic pairing mode. Bluetooth devices should notify users plementations means that our findings may not generalize to all
when they automatically transition to pairing mode and when new Bluetooth devices in the market. We need a more comprehensive
pairings are established. This notification mechanism would alert evaluation across broader device categories and manufacturers to
users to potential unauthorized pairing attempts and allow them to understand the vulnerability landscape.
take appropriate action. However, such notifications must be care- The success of the Stealtooth attack also depends on specific
fully designed to balance security awareness with user experience, timing conditions, such as when legitimate devices are powered
as excessive notifications could lead to alert fatigue. off or unavailable. In real-world scenarios, these conditions may
Manufacturers should also consider implementing additional not always be controllable by attackers, limiting the practical ap-
authentication layers for automatic pairing scenarios. The authen- plicability of the attack. The probabilistic nature of these timing
tication layers could include device-specific challenges or crypto- dependencies means that attacks may require multiple attempts to
graphic proofs that prevent unauthorized devices from successfully succeed.
completing automatic pairing. Such mechanisms would need to be Our MitM Stealtooth attack implementation focuses primarily on
carefully designed to avoid breaking compatibility with existing A2DP audio interception, representing only a subset of the potential
paired devices while preventing unauthorized pairings. capabilities enabled by successful device impersonation. Extension
Breaking Bluetooth Security Abusing Silent Automatic Pairing Conference’17, July 2017, Washington, DC, USA

to other Bluetooth profiles and more sophisticated manipulation by impersonating the legitimate device and bypasses authentica-
capabilities would require additional implementation work. tion by exploiting the unidirectionality of legacy authentication.
Additionally, they decrypt communication contents using the afore-
7.2.2 Future Work. Our work opens several important research mentioned KNOB attack to gain access permissions to highly confi-
directions that could significantly advance the understanding of dential profiles and inject unauthorized commands to the victim.
Bluetooth security and automatic pairing vulnerabilities. In this The Blacktooth attack can be executed without requiring any user
section, we present two main future directions of this work. operation or malicious applications. Ai et al. demonstrated the ef-
Cross-Platform Vulnerability Analysis. While our evaluation fo- fectiveness of the Blacktooth attack against 21 types of Bluetooth
cuses on commercial audio devices, automatic pairing modes exist devices.
across a much broader ecosystem of Bluetooth-enabled devices,
including IoT sensors, medical devices, automotive systems, and
industrial controllers. These diverse platforms may implement au- 8.1.3 MitM Attack Abusing Differences in Authentication Methods.
tomatic pairing with different security assumptions and constraints, The Method Confusion (MC) attack proposed by Tschirschnitz
potentially exposing novel attack vectors. A systematic analysis of et al. is a MitM attack that exploits differences in authentication
automatic pairing implementations across heterogeneous platforms methods during Bluetooth pairing[28, 30]. In the MC attack, the
could reveal fundamental design patterns that are inherently vul- attacker completes pairing as a MitM by using Numeric Comparison
nerable, leading to more comprehensive mitigation strategies that authentication with one device and Passkey Entry authentication
address root causes rather than individual device vulnerabilities. with the other device. Tschirschnitz et al. evaluated the effectiveness
of the MC attack with 40 users using devices such as smartwatches
Large-Scale Empirical Security Assessment. The true scope of and smartphones, and successfully executed the MC attack against
automatic pairing vulnerabilities in deployed devices remains un- 37 users.
known. Conducting large-scale empirical studies that systematically
test thousands of devices across different manufacturers, firmware
versions, and deployment contexts would provide crucial data for
understanding the real-world impact of these vulnerabilities. Such 8.2 Comparison Between Prior MitM Attacks
studies could also reveal correlations between device character- and the MitM Stealtooth Attack
istics and vulnerability patterns, informing risk assessment and The most significant difference between the prior attacks described
prioritization of mitigation efforts. in Section 2.3 and the conventional attacks and proposed attack
lies in whether Bluetooth jamming between victims is necessary to
8 Related Work initiate the attack.
In this section, we describe prior MitM attacks against Bluetooth The BIAS attack described in Section 8.1.1 requires forcibly dis-
and present the differences between these prior attacks and the connecting the Bluetooth session between victim devices to execute
MitM Stealtooth attack. the attack. Therefore, Antonioli et al. assumed that in the attacker
model for the BIAS attack, the attacker can jam the Bluetooth spec-
8.1 Prior MitM Attacks Against Bluetooth trum and has the ability to forcibly disconnect Bluetooth. However,
8.1.1 MitM Attack Abusing Unidirectionality of Authentication Pro- they did not describe specific methods or feasibility of jamming.
cedure. The Bluetooth Impersonation AttackS (BIAS) proposed by The Blacktooth attack described in Section 8.1.2, like the BIAS at-
Antonioli et al. is an attack that abuses the unidirectional vulnera- tack, requires forcibly disconnecting the Bluetooth session between
bility in Bluetooth’s authentication procedure, allowing attackers to victim devices to execute the attack. However, similar to Antonioli
impersonate the victim’s device and establish a connection[5]. An- et al., Ai et al. did not describe specific methods or feasibility of
tonioli et al. evaluated the BIAS attack against 28 types of Bluetooth jamming.
chips and demonstrated its effectiveness. The MC attack described in Section 8.1.3 also assumes jamming
The BIAS attack can become a MitM attack when combined with for its execution. The MC attack describes a specific method of
the KNOB attack. Attackers can establish independent encrypted selectively interfering with Bluetooth advertisement packets as “se-
communication channels with both the sender and receiver devices lective jamming”. Unlike the BIAS attack and the Blacktooth attack,
using the BIAS attack, and then reduce the entropy of the session selective jamming does not jam the entire Bluetooth spectrum but
key using the KNOB attack to eavesdrop on or tamper with commu- only interferes with targeted packets. Selective jamming makes it
nications. The attack combining BIAS and KNOB attacks does not possible to minimize the impact on other devices, making the attack
require any user operation or malicious applications. Furthermore, less conspicuous.
it can be executed on any Bluetooth device that complies with the The MitM Stealtooth attack easily achieves session hijacking
standard Bluetooth protocol. including link key overwriting through the automatic pairing mode
vulnerabilities we newly discovered. Furthermore, by combining
8.1.2 MitM Attack Using the Variability of Master/Slave Roles. The with the existing Breaktooth attack, it abuses the vulnerabilities of
Blacktooth attack proposed by Ai et al. is the first attack that exploits Sleep mode that causes temporary Bluetooth disconnections with-
the specification that Bluetooth Master/Slave roles are not fixed, out attacker intervention or victim operations, completely elim-
allowing attackers to covertly complete connection and pairing inating the jamming process from attack execution. The MitM
with the victim’s device[1]. The attacker establishes a connection Stealtooth attack provides a new attack vector against Bluetooth.
Conference’17, July 2017, Washington, DC, USA Kimura et al.

9 Conclusion [6] Daniele Antonioli, Nils Ole Tippenhauer, and Kasper B. Rasmussen. 2019. The
KNOB is Broken: Exploiting Low Entropy in the Encryption Key Negotiation
This paper unveils novel vulnerabilities of Bluetooth automatic Of Bluetooth BR/EDR. In 28th USENIX Security Symposium (USENIX Security
pairing modes that enables completely silent device link key over- 19). USENIX Association, Santa Clara, CA, 1047–1061. https://www.usenix.org/
conference/usenixsecurity19/presentation/antonioli
writing. We demonstrate how attackers can abuse the automatic [7] Eli Biham and Lior Neumann. 2019. Breaking the Bluetooth Pairing – The Fixed
pairing functions implemented in commercial Bluetooth devices Coordinate Invalid Curve Attack. In Selected Areas in Cryptography – SAC 2019:
to establish malicious connections without any user awareness or 26th International Conference, Waterloo, ON, Canada, August 12–16, 2019, Revised
Selected Papers (Waterloo, ON, Canada). Springer-Verlag, Berlin, Heidelberg,
specialized equipment. 250–273. doi:10.1007/978-3-030-38471-5_11
Our Stealtooth attack leverages the inherent behavior of com- [8] Eric Blancaflor, Harold Kobe Billo, John Michael Dignadice, Philip Domondon,
mercial devices that automatically transition to pairing mode under Mico Ruiz Linco, and Christie Valero. 2025. Bluetooth Simulated Reconnaissance
Attack Through the Use of HCITool: A Case Study. In 2nd International Conference
specific conditions. We also extend the Stealtooth attack into a on Cloud Computing and Computer Networks, Lei Meng (Ed.). Springer Nature
MitM attack, called MitM Stealtooth attacks, by combining the Switzerland, Cham, 133–143.
[9] Xijia Che, Yi He, Xuewei Feng, Kun Sun, Ke Xu, and Qi Li. 2024. BlueSWAT:
attack with existing power-saving mode techniques, enabling at- A Lightweight State-Aware Security Framework for Bluetooth Low Energy. In
tackers to intercept, modify, and relay communications between Proceedings of the 2024 on ACM SIGSAC Conference on Computer and Communi-
victims. cations Security (Salt Lake City, UT, USA) (CCS ’24). Association for Computing
Machinery, New York, NY, USA, 2087–2101. doi:10.1145/3658644.3670397
We tested our attacks against 10 commercial Bluetooth devices [10] Marc Fischlin and Olga Sanina. 2024. Fake It till You Make It: Enhancing Security
from major manufacturers, including Sony, Anker, Google, and of Bluetooth Secure Connections via Deferrable Authentication. In Proceedings of
Xiaomi, and demonstrated the severe impact of the new vulnera- the 2024 on ACM SIGSAC Conference on Computer and Communications Security
(Salt Lake City, UT, USA) (CCS ’24). Association for Computing Machinery, New
bilities across various device chipsets, and vendors. Our practical York, NY, USA, 4762–4776. doi:10.1145/3658644.3670360
implementation using only commodity hardware and open-source [11] Matheus E. Garbelini, Vaibhav Bedi, Sudipta Chattopadhyay, Sumei Sun, and
Ernest Kurniawan. 2022. BrakTooth: Causing Havoc on Bluetooth Link Man-
software highlights the real-world applicability of the attacks. ager via Directed Fuzzing. In 31st USENIX Security Symposium (USENIX Security
To address the critical impact of these vulnerabilities, we propose 22). USENIX Association, Boston, MA, 1025–1042. https://www.usenix.org/
both device-level and protocol-level defenses. At the device level, conference/usenixsecurity22/presentation/garbelini
[12] Rahul N. Gore, Himashri Kour, Mihit Gandhi, Deepaknath Tandur, and Anitha
we recommend enhanced user notification systems and stricter Varghese. 2019. Bluetooth based Sensor Monitoring in Industrial IoT Plants. In
timeout mechanisms for automatic pairing. At the protocol level, 2019 International Conference on Data Science and Communication (IconDSC). 1–6.
we advocate for standardized automatic pairing guidelines and im- doi:10.1109/IconDSC.2019.8816906
[13] Tzipora Halevi and Nitesh Saxena. 2013. Acoustic Eavesdropping Attacks on
proved validation mechanisms for link key replacement scenarios. Constrained Wireless Device Pairing. IEEE Transactions on Information Forensics
Our findings reveal a critical tension between security and usabil- and Security 8, 3 (2013), 563–577. doi:10.1109/TIFS.2013.2247758
[14] Mohit Jangid, Yue Zhang, and Zhiqiang Lin. 2023. Extrapolating Formal Analysis
ity in wireless communication systems. While automatic pairing to Uncover Attacks in Bluetooth Passkey Entry Pairing. In 2023, Network and
provides undeniable convenience benefits, current implementations Distributed System Security Symposium (NDSS). doi:10.14722/ndss.2023.23119
inadequately consider security implications, creating systematic [15] Keiichiro Kimura, Hiroki Kuzuno, Yoshiaki Shiraishi, and Masakatu Morii. 2024.
Breaktooth: Breaking Security and Privacy in Bluetooth Power-Saving Mode.
vulnerabilities rather than isolated implementation flaws. Cryptology ePrint Archive, Paper 2024/900. https://eprint.iacr.org/2024/900
[16] Changseok Koh, Jonghoon Kwon, and Junbeom Hur. 2022. BLAP: Bluetooth
Link Key Extraction and Page Blocking Attacks. In 2022 52nd Annual IEEE/IFIP
Acknowledgments International Conference on Dependable Systems and Networks (DSN). 227–238.
doi:10.1109/DSN53405.2022.00033
This work is in part conducted under the “Research and develop- [17] Grigorios Koulouras, Stylianos Katsoulis, and Fotios Zantalis. 2025. Evolution of
ment on new generation cryptography for secure wireless com- Bluetooth Technology: BLE in the IoT Ecosystem. Sensors 25, 4 (2025). doi:10.
munication services” contract for the “Research and Development 3390/s25040996
[18] Elke Mackensen, Matthias Lai, and Thomas M. Wendt. 2012. Bluetooth Low
for Expansion of Radio Wave Resources (JPJ000254)”, which is sup- Energy (BLE) based wireless sensors. In SENSORS, 2012 IEEE. 1–4. doi:10.1109/
ported by the Ministry of Internal Affairs and Communications, ICSENS.2012.6411303
Japan. [19] Linux man page. 2002-2024. l2ping(1). https://linux.die.net/man/1/l2ping. Ac-
cessed: 2025-06-01.
[20] Maja Pušnik, Mitja Galun, and Boštjan Šumak. 2020. Improved Bluetooth Low
Energy Sensor Detection for Indoor Localization Services. Sensors 20, 8 (2020).
References doi:10.3390/s20082336
[1] Mingrui Ai, Kaiping Xue, Bo Luo, Lutong Chen, Nenghai Yu, Qibin Sun, and Feng [21] Poonam Shelke, Saurav Gupta, and Sukumar Nandi. 2024. BlueDoS: A Novel
Wu. 2022. Blacktooth: Breaking through the Defense of Bluetooth in Silence. In Approach to Perform and Analyse DoS Attacks on Bluetooth Devices. In Proceed-
Proceedings of the 2022 ACM SIGSAC Conference on Computer and Communications ings of the 21st International Conference on Security and Cryptography - Volume 1:
Security (Los Angeles, CA, USA) (CCS ’22). Association for Computing Machinery, SECRYPT. INSTICC, SciTePress, 838–843. doi:10.5220/0012845700003767
New York, NY, USA, 55–68. doi:10.1145/3548606.3560668 [22] Guanxiong Shen, Junqing Zhang, Alan Marshall, and Joseph R. Cavallaro. 2022.
[2] Muhamad Erza Aminanto, Rakyong Choi, Harry Chandra Tanuwidjaja, Paul D. Towards Scalable and Channel-Robust Radio Frequency Fingerprint Identification
Yoo, and Kwangjo Kim. 2018. Deep Abstraction and Weighted Feature Selection for LoRa. IEEE Transactions on Information Forensics and Security 17 (2022), 774–
for Wi-Fi Impersonation Detection. IEEE Transactions on Information Forensics 787. doi:10.1109/TIFS.2022.3152404
and Security 13, 3 (2018), 621–636. doi:10.1109/TIFS.2017.2762828 [23] Bluetooth SIG. 2023. 2023 Bluetooth® Market Update. https://www.bluetooth.
[3] Daniele Antonioli. 2023. BLUFFS: Bluetooth Forward and Future Secrecy Attacks com/2023-market-update/. Accessed: 2025-06-01.
and Defenses. In Proceedings of the 2023 ACM SIGSAC Conference on Computer [24] Bluetooth SIG. 2024. 2024 Bluetooth® Market Update. https://www.bluetooth.
and Communications Security (Copenhagen, Denmark) (CCS ’23). Association com/2024-market-update/. Accessed: 2025-06-01.
for Computing Machinery, New York, NY, USA, 636–650. doi:10.1145/3576915. [25] Bluetooth SIG. 2025. 2025 Bluetooth® Market Update. https://www.bluetooth.
3623066 com/2025-market-update/. Accessed: 2025-06-01.
[4] Daniele Antonioli and Mathias Payer. 2022. On the Insecurity of Vehicles Against [26] Da-Zhi Sun, Yi Mu, and Willy Susilo. 2018. Man-in-the-middle attacks on Secure
Protocol-Level Bluetooth Threats. In 2022 IEEE Security and Privacy Workshops Simple Pairing in Bluetooth standard V5.0 and its countermeasure. Personal
(SPW). 353–362. doi:10.1109/SPW54247.2022.9833886 Ubiquitous Comput. 22, 1 (Feb. 2018), 55–67. doi:10.1007/s00779-017-1081-6
[5] Daniele Antonioli, Nils Ole Tippenhauer, and Kasper Rasmussen. 2020. BIAS: [27] Da-Zhi Sun and Li Sun. 2019. On Secure Simple Pairing in Bluetooth Standard
Bluetooth Impersonation AttackS. In 2020 IEEE Symposium on Security and Privacy v5.0-Part I: Authenticated Link Key Security and Its Home Automation and
(SP). 549–562. doi:10.1109/SP40000.2020.00093 Entertainment Applications. Sensors 19, 5 (2019). doi:10.3390/s19051158
Breaking Bluetooth Security Abusing Silent Automatic Pairing Conference’17, July 2017, Washington, DC, USA

[28] Maximilian Tschirschnitz, Ludwig Peuckert, Moritz Buhl, and Jens Grossklags. [31] Jianliang Wu, Yuhong Nan, Vireshwar Kumar, Dave (Jing) Tian, Antonio Bianchi,
2025. Rediscovering Method Confusion in Proposed Security Fixes for Bluetooth. Mathias Payer, and Dongyan Xu. 2020. BLESA: Spoofing Attacks against Recon-
In 2025, Network and Distributed System Security Symposium (NDSS). doi:10. nections in Bluetooth Low Energy. In 14th USENIX Workshop on Offensive Tech-
14722/ndss.2025.240310 nologies (WOOT 20). USENIX Association. https://www.usenix.org/conference/
[29] Tyler Tucker, Hunter Searle, Kevin Butler, and Patrick Traynor. 2023. Blue’s woot20/presentation/wu
Clues: Practical Discovery of Non-Discoverable Bluetooth Devices. In 2023 IEEE [32] Jianliang Wu, Ruoyu Wu, Dongyan Xu, Dave Jing Tian, and Antonio Bianchi. 2022.
Symposium on Security and Privacy (SP). 3098–3112. doi:10.1109/SP46215.2023. Formal Model-Driven Discovery of Bluetooth Protocol Design Vulnerabilities.
10179358 In 2022 IEEE Symposium on Security and Privacy (SP). 2285–2303. doi:10.1109/
[30] Maximilian von Tschirschnitz, Ludwig Peuckert, Fabian Franzen, and Jens SP46214.2022.9833777
Grossklags. 2021. Method Confusion Attack on Bluetooth Pairing. In 2021 IEEE [33] Tuğrul Yüksel, Ömer Aydın, and Gökhan Dalkılıç. 2022. Performing DoS Attacks
Symposium on Security and Privacy (SP). 1332–1347. doi:10.1109/SP40001.2021. on Bluetooth Devices Paired with Google Home Mini. SSRN Electronic Journal
00013 18 (01 2022), 53–58. doi:10.2139/ssrn.4171322