Ubertooth One: Bluetooth Security Research and BLE Monitoring

Bluetooth is everywhere. Keyboards, mice, headphones, medical devices, industrial sensors, smart home devices, payment terminals, automotive systems — the attack surface is enormous and often completely overlooked. The Ubertooth One exists because the tools to assess Bluetooth security professionally basically didn't exist before it.

What Is the Ubertooth One?

The Ubertooth One is an open-source Bluetooth monitoring and research platform designed by Michael Ossmann. Unlike commercial Bluetooth adapters that only receive packets addressed to your device, the Ubertooth One operates in promiscuous mode — capturing all Bluetooth traffic in range regardless of destination.

This changes Bluetooth from a "trust the protocol" assumption to something you can actually audit.

Technical Specifications

• Frequency: 2.4 GHz ISM band (2.400–2.4835 GHz)
• Bluetooth versions: Classic Bluetooth (BR/EDR) and Bluetooth Low Energy (BLE)
• Antenna: RP-SMA connector, external antenna included
• Interface: USB 2.0
• FPGA: Not FPGA-based — uses microcontroller with direct radio control
• Chipset: CC2400 RF transceiver + LPC175x ARM microcontroller

Installation and Setup

# Install ubertooth tools (Kali/Ubuntu)
sudo apt-get install ubertooth
Verify device detected
ubertooth-util -v
Update firmware
ubertooth-dfu -d bluetooth_rxtx.dfu -r

BLE Sniffing: Following a Device

Bluetooth Low Energy uses three advertising channels (37, 38, 39) plus 37 data channels with frequency hopping. The Ubertooth One can follow a BLE connection through its channel hops once it captures the initial advertising handshake.

# Follow a specific BLE device (by BD_ADDR)
ubertooth-btle -f -t AA:BB:CC:DD:EE:FF
Promiscuous BLE capture — capture everything
ubertooth-btle -p
Write to PCAP for Wireshark analysis
ubertooth-btle -f -t AA:BB:CC:DD:EE:FF -c capture.pcap

Wireshark Integration

Wireshark has native Ubertooth support for real-time BLE analysis:

# Pipe directly to Wireshark
ubertooth-btle -f -t AA:BB:CC:DD:EE:FF -c - | wireshark -k -i -
Or load a saved capture
wireshark capture.pcap

In Wireshark, apply the btle display filter to isolate Bluetooth LE packets. You can examine:

• GATT attribute reads and writes


• Service discovery traffic


• Characteristic notifications


• Pairing and encryption handshakes

IoT Security Assessment Applications

Finding Unencrypted BLE Communications

Many IoT devices — smart locks, medical sensors, fitness trackers, industrial sensors — transmit data without encryption because developers assume physical proximity implies trust. The Ubertooth One exposes this:

1. Identify target device's BD_ADDR using ubertooth-btle -p
2. Follow the connection: ubertooth-btle -f -t
3. Load capture in Wireshark
4. Look for GATT writes containing PIN codes, commands, or sensor data in cleartext

This is a common finding in smart lock assessments — the unlock command is often just a GATT write to a characteristic, completely unencrypted.

Replay Attacks

If you capture BLE commands in cleartext, you can replay them:

# Capture and replay with btlejack or gatttool
gatttool -b AA:BB:CC:DD:EE:FF --char-write-req -a 0x0025 -n 01

Pairing Analysis

The Ubertooth One can capture BLE pairing exchanges. Depending on the pairing method (Just Works, Passkey Entry, Numeric Comparison, OOB), you can assess whether:

• Just Works pairing is used (no authentication, MITM-vulnerable)


• Passkey values are predictable


• Long-term keys can be derived from the captured exchange

Classic Bluetooth Monitoring

For classic Bluetooth (BR/EDR), the Ubertooth One can perform inquiry scans and capture advertising packets:

# Scan for classic BT devices
ubertooth-scan
Capture classic BT traffic (requires knowing piconet clock)
ubertooth-rx

Classic BT monitoring is harder than BLE due to frequency hopping complexity, but possible with piconet following.

Real-World Use Cases

Medical device security: BLE-connected glucose monitors, insulin pumps, and pacemaker monitors have been shown to transmit patient data without encryption. The Ubertooth One is the tool researchers use to demonstrate this. Automotive security: Modern vehicles use BLE for tire pressure monitoring, key fob communication, and infotainment pairing. Sniffing these communications reveals protocol details for further research. Smart home auditing: Smart locks, lightbulbs, thermostats, and security systems all use BLE. Many have been found to accept replay attacks or transmit credentials in cleartext. Retail payment terminals: Bluetooth-connected POS peripherals sometimes transmit card data. Understanding the protocol is step one in any security audit.

Combining with Other Tools

The Ubertooth One works well alongside:

• Wireshark — packet-level analysis of captured BLE traffic
• BTLE-Sniffer — alternative capture frontend
• Btlejack — BLE connection following and injection
• Gatttool — GATT attribute interaction
• nRF Sniffer — alternative for controlled environments

Limitations

• Classic Bluetooth monitoring requires knowing the piconet clock — initial capture is probabilistic
• Bluetooth 4.2+ LE Secure Connections significantly hardens against key extraction
• Range is typically 10-20 meters for reliable capture
• One Ubertooth handles one connection at a time

Conclusion

Bluetooth security is routinely ignored in assessments that focus on network and application layers. The Ubertooth One fills a gap that no other affordable tool fills — giving security researchers actual visibility into what's happening over Bluetooth.

For IoT security assessments, automotive research, medical device auditing, and any engagement where Bluetooth-connected devices are in scope, the Ubertooth One belongs in your toolkit.

For authorized security research and professional assessments only.