IOT-BLE-EAVESDROPCredential Access

BLE Eavesdropping

Sniff BLE pairing with Ubertooth / Sniffle / nRF52 — capture LTK / IRK on insecure (Just Works) pairing.

§ Where this technique fits

IOT-BLE-EAVESDROP is catalogued under the Credential Access tactic of the offensive-security kill-chain. It appears in 2 approved dossiers in the registry, typically at step 1.5 on average.

§ Dossiers chaining this technique

Zigbee network key sniff → smart-home control
Sniff a fresh device-join with an Atmel RZRAVEN — Zigbee broadcasts the network key in plaintext during pairing. Decrypt all subsequent traffic + send commands.
step 1 / 5
BLE eavesdrop + replay → smart lock open
Smart lock uses BLE Just-Works pairing + plaintext 'unlock' opcode. Sniff once with a nRF52 in monitor mode, replay later from a $10 device.
step 2 / 5

§ What commonly comes next

01
Deauthentication DoS
WIFI-DEAUTH · Impact
seen 1×
02
File and Directory Discovery
T1083 · Discovery
seen 1×

§ Where this technique fits

§ Dossiers chaining this technique

Zigbee network key sniff → smart-home control

BLE eavesdrop + replay → smart lock open

§ What commonly comes next