Best Bluetooth Security Tools
Table of Contents
Bluetooth Security - Why It Matters
Bluetooth is everywhere. Headphones, fitness trackers, smart locks, medical devices, industrial sensors, car key fobs - the list keeps growing. BLE (Bluetooth Low Energy) alone accounts for billions of shipped devices per year. Every one of those devices is a potential attack surface.
Security researchers need tools to audit these devices. The problem is that Bluetooth security tooling is fragmented. Classic Bluetooth (BR/EDR) and BLE are fundamentally different protocols with different tools. Some tools are hardware, some are software, some cost hundreds of dollars, and some are free. Picking the right combination depends on what you are testing and how deep you need to go.
This guide covers the most useful tools available in 2026, organized by what they actually do and what they cost.
Classic Bluetooth Tools
Ubertooth One - $120
The Ubertooth One is the standard tool for classic Bluetooth (BR/EDR) research. It is an open-source 2.4 GHz platform that can sniff Bluetooth packets in promiscuous mode - something normal Bluetooth adapters cannot do.
What it does well: raw packet capture of classic Bluetooth, frequency hopping analysis, Bluetooth baseband sniffing. It integrates with Wireshark through the btbb plugin, so you get full packet decoding.
What it does not do: BLE sniffing is technically possible but limited. The firmware has experimental BLE support, but dedicated BLE sniffers do a better job. The Ubertooth is also not a beginner tool. Flashing firmware, setting up the build environment, and interpreting raw baseband captures requires solid Linux skills.
Skill level: intermediate to advanced. You need comfort with Linux command line, Wireshark, and Bluetooth protocol basics.
HackRF One - $340
The HackRF One is a software-defined radio (SDR) that covers 1 MHz to 6 GHz. It can receive and transmit on the 2.4 GHz band where Bluetooth operates, but it is a general-purpose SDR - not a dedicated Bluetooth tool.
For Bluetooth research, HackRF is useful when you need to look at the RF layer below the protocol. Spectrum analysis, interference detection, and custom modulation experiments. But for actual Bluetooth packet decoding, the Ubertooth is far more practical.
graph TD
subgraph "Classic Bluetooth Research Stack"
A[Target Device] -->|BR/EDR Signal| B[Ubertooth One]
B -->|USB| C[Linux Host]
C --> D[Wireshark + btbb plugin]
D --> E[Packet Analysis]
A -->|2.4 GHz RF| F[HackRF One]
F -->|USB| C
C --> G[GNU Radio / Spectrum View]
end
subgraph "Output"
E --> H[Protocol Vulnerabilities]
G --> I[RF Layer Analysis]
end
Classic Bluetooth research pipeline - hardware captures feed into software analysis
BLE-Specific Tools
nRF52840 Dongle - $10
Nordic Semiconductor's nRF52840 Dongle is the best value in BLE sniffing. Flash it with the nRF Sniffer firmware and it becomes a passive BLE sniffer that integrates directly with Wireshark. You get full BLE packet decoding - advertising packets, connection events, GATT operations, all of it.
At $10, this is the first tool every BLE researcher should own. The catch: it is passive only. You can observe BLE traffic, but you cannot inject packets, jam connections, or perform active attacks. For passive reconnaissance and protocol analysis, nothing beats the price-to-capability ratio.
BLEShark Nano - $37
The BLEShark Nano takes a different approach. Instead of passive sniffing for Wireshark, it is a self-contained BLE research platform. It runs on an ESP32-C3 with BLE 5.0, and it operates without a laptop.
Key BLE capabilities: active BLE scanning (enumerate nearby devices, RSSI, device types), BLESpam (test how devices handle advertising floods), Bad-BT (Bluetooth HID injection for testing input validation). It also combines BLE with WiFi and IR in one device, which matters when you are doing physical security assessments and need to travel light.
The trade-off compared to the nRF52840 is depth vs. breadth. The nRF dongle gives you raw packet captures for deep protocol analysis. The BLEShark Nano gives you active testing tools across multiple protocols. They complement each other.
Micro:bit + btlejack - $15
btlejack is an open-source tool by Damien Cauquil that uses one or more BBC micro:bit boards to sniff and hijack active BLE connections. It can follow frequency hopping on active connections - something the nRF Sniffer struggles with.
The real power of btlejack is connection hijacking. It can take over an existing BLE connection between two devices by exploiting weaknesses in the BLE link layer. This is a specific attack capability that most other tools do not offer.
Cost: about $15 per micro:bit. You ideally want three for reliable connection following across all advertising channels. So roughly $45 for a complete btlejack setup.
graph LR
subgraph "BLE Tool Capabilities"
direction TB
A[Passive Sniffing] --> B[nRF52840 Dongle]
C[Active Scanning] --> D[BLEShark Nano]
E[Connection Hijack] --> F[btlejack + micro:bit]
G[MITM Relay] --> H[GATTacker]
I[HID Injection] --> D
J[BLE Spam Testing] --> D
end
subgraph "Analysis Layer"
B --> K[Wireshark]
D --> L[Built-in Display]
F --> M[btlejack CLI]
H --> N[Node.js Server]
end
BLE tools mapped by primary capability - each fills a different research niche
Software-Only Tools
GATTacker - Free
GATTacker is a Node.js framework for BLE man-in-the-middle attacks. It clones a BLE device's GATT profile, creates a fake peripheral with the same services and characteristics, and relays traffic between the real device and a victim client. This lets you intercept, modify, and replay BLE GATT operations in real time.
Requirements: a Linux machine with two BLE adapters (one for the peripheral role, one for central). It works with standard USB BLE dongles - no specialized hardware needed beyond the adapters.
Use case: testing whether a BLE device properly validates its peer, whether GATT data is encrypted at the application layer, and whether replay attacks are possible.
Bettercap BLE Module - Free
Bettercap is a network attack and monitoring framework. Its BLE module provides enumeration, service discovery, and characteristic read/write operations. It is less specialized than GATTacker but more versatile because Bettercap also covers WiFi, Ethernet, and other protocols.
If you already use Bettercap for WiFi assessments, the BLE module adds Bluetooth capabilities without learning a new tool. The BLE features are more limited than dedicated tools, but for quick reconnaissance during a broader assessment, it is convenient.
flowchart TB
subgraph "Software Tools Workflow"
A[Identify Target BLE Device] --> B{Attack Type?}
B -->|MITM| C[GATTacker]
B -->|Recon| D[Bettercap BLE]
B -->|Deep Analysis| E[Wireshark + nRF Sniffer]
C --> F[Clone GATT Profile]
F --> G[Relay Traffic]
G --> H[Intercept/Modify Data]
D --> I[Enumerate Services]
I --> J[Read Characteristics]
E --> K[Capture Packets]
K --> L[Protocol Decode]
end
Software tool selection based on the type of BLE assessment being performed
Mobile Tools
nRF Connect - Free
Nordic's nRF Connect app (Android and iOS) is the most useful mobile BLE tool. It scans for BLE devices, shows advertising data, connects to peripherals, browses GATT services, and lets you read/write characteristics. It also logs BLE traffic on Android (via HCI snoop log) for later analysis in Wireshark.
Every BLE researcher should have this installed. It is the fastest way to get initial reconnaissance on a BLE target - scan, connect, browse services, check security properties. The Android version is more capable than iOS due to platform restrictions on Apple's side.
BLE Scanner (Android) - Free
A simpler alternative to nRF Connect for basic scanning and GATT browsing. Less feature-rich, but the interface is cleaner for quick scans when you just need to see what is advertising nearby.
Building the Complete Stack
No single tool covers all Bluetooth security research scenarios. A practical research setup depends on your budget and focus area.
Budget setup ($50): nRF52840 Dongle ($10) for passive BLE sniffing, BLEShark Nano ($37) for active BLE testing and multi-protocol work, nRF Connect (free) on your phone for mobile recon. This covers 80% of common BLE research tasks.
Mid-range setup ($200): Add the Ubertooth One ($120) for classic Bluetooth research, plus three micro:bits ($45) for btlejack connection hijacking. Now you cover both BLE and classic Bluetooth, with active attack capabilities.
Full lab ($500+): All of the above, plus a HackRF One ($340) for RF-layer analysis, dedicated Linux laptops with multiple BLE adapters for GATTacker MITM setups, and Bettercap for integrated multi-protocol assessments.
Comparison Table
| Tool | Type | Price | Protocol | Key Capability | Skill Level |
|---|---|---|---|---|---|
| Ubertooth One | Hardware | $120 | Classic BT | Baseband sniffing | Advanced |
| nRF52840 Dongle | Hardware | $10 | BLE | Passive sniffing | Beginner |
| BLEShark Nano | Hardware | $37 | BLE + WiFi + IR | Active scanning, BLESpam, Bad-BT | Beginner |
| micro:bit + btlejack | Hardware + Software | $45 | BLE | Connection hijacking | Intermediate |
| GATTacker | Software | Free | BLE | GATT MITM | Intermediate |
| Bettercap | Software | Free | BLE + Multi | Recon and enumeration | Intermediate |
| nRF Connect | Mobile App | Free | BLE | GATT browsing | Beginner |
The right tool depends on the job. For most BLE security work, start with the nRF52840 Dongle and nRF Connect. Add the BLEShark Nano when you need active testing capabilities and portability. Move up to the Ubertooth and btlejack when your research demands classic Bluetooth coverage or active connection attacks.
Get the BLEShark Nano - $36.99+