What starting position does this attack require?

The first step is Physical entry to target area (T1078) — a initial access primitive. Assumed environment: target deployment uses a BLE-only smart lock (no internet companion).

What is the final impact of this kill-chain?

The final step lands on Replay from attacker device (IOT-BLE-REPLAY), which falls under Lateral Movement. From here, an operator typically pivots into post-exploitation or maintains persistence.

How can defenders detect or prevent this attack?

Detection and prevention vary per step. Refer to each linked MITRE ATT&CK entry under "References" — every technique on that page lists defensive controls, detection telemetry, and known threat-actor usage.

← RegistryDossier · 5 steps · 4 edges

Approved

BLE eavesdrop + replay → smart lock open

Smart lock uses BLE Just-Works pairing + plaintext 'unlock' opcode. Sniff once with a nRF52 in monitor mode, replay later from a $10 device.

Filed by AD Knowledge BasePublished 2026-05-26

§ Kill-chainDrag · zoom · scroll

Initial Access

Physical entry to target area

T1078 · Valid Accounts

Discovery

Extract write to unlock characteristic

T1083 · File and Directory Discovery

Reconnaissance

Fingerprint BLE service + characteristic UUIDs

MOB-APK-REVERSE · APK Reverse Engineering

Credential Access

Sniff legit unlock (Sniffle / Ubertooth)

IOT-BLE-EAVESDROP · BLE Eavesdropping

Lateral Movement

Replay from attacker device

IOT-BLE-REPLAY · BLE Replay

§ Context

Assumed environment: target deployment uses a BLE-only smart lock (no internet companion). The pairing is unauthenticated (Just Works) and the unlock command is not nonce-protected.

§ Steps

01
Physical entry to target areaInitial Access
T1078— Valid Accounts
02
Extract write to unlock characteristicDiscovery
T1083— File and Directory Discovery
03
Fingerprint BLE service + characteristic UUIDsReconnaissance
MOB-APK-REVERSE— APK Reverse Engineering
04
Sniff legit unlock (Sniffle / Ubertooth)Credential Access
IOT-BLE-EAVESDROP— BLE Eavesdropping
05
Replay from attacker deviceLateral Movement
IOT-BLE-REPLAY— BLE Replay

§ References

T1078Valid Accounts
T1083File and Directory Discovery

§ Frequently asked

What is the "BLE eavesdrop + replay → smart lock open" attack path?: Smart lock uses BLE Just-Works pairing + plaintext 'unlock' opcode. Sniff once with a nRF52 in monitor mode, replay later from a $10 device. It chains 5 steps drawn from real-world offensive-security techniques.
What starting position does this attack require?: The first step is Physical entry to target area (T1078) — a initial access primitive. Assumed environment: target deployment uses a BLE-only smart lock (no internet companion).
What is the final impact of this kill-chain?: The final step lands on Replay from attacker device (IOT-BLE-REPLAY), which falls under Lateral Movement. From here, an operator typically pivots into post-exploitation or maintains persistence.
How can defenders detect or prevent this attack?: Detection and prevention vary per step. Refer to each linked MITRE ATT&CK entry under "References" — every technique on that page lists defensive controls, detection telemetry, and known threat-actor usage.

BLE eavesdrop + replay → smart lock open

§ Context

§ Steps

§ References

§ Frequently asked

§ Related dossiers

Exported ContentProvider → private data leak

Deeplink abuse → in-app account takeover

iOS URL scheme hijack → OAuth code theft

User foothold → keychain dump → cloud creds

SUID binary → root via GTFOBins