IOT-BLE-REPLAYLateral Movement

BLE Replay

Record a 'unlock' command sent over a non-authenticated BLE characteristic, replay it to open the smart lock / device.

§ Where this technique fits

IOT-BLE-REPLAY is catalogued under the Lateral Movement tactic of the offensive-security kill-chain. It appears in 1 approved dossier in the registry, typically at step 4 on average.

§ Dossiers chaining this technique

BLE eavesdrop + replay → smart lock open
Smart lock uses BLE Just-Works pairing + plaintext 'unlock' opcode. Sniff once with a nRF52 in monitor mode, replay later from a $10 device.
step 4 / 5

§ What commonly comes next

01
Valid Accounts
T1078 · Initial Access
seen 1×

§ Where this technique fits

§ Dossiers chaining this technique

BLE eavesdrop + replay → smart lock open

§ What commonly comes next