• info@Amynasec.io
    • +91 91524 45255

    BLE 101:
    THE BASICS

    Understanding Bluetooth Low Energy fundamentals for cybersecurity professionals

    Understanding BLE Fundamentals

    Before diving into BLE exploitation and analysis, it's crucial to understand what BLE actually is. This blog lays out the key concepts behind BLE, including its architecture, core protocols, and how it differs from classic Bluetooth. If you're new to BLE, this is where it all starts.

    Bluetooth Low Energy

    Table of Contents

    1. What is BLE and How It Works?
    2. Key Characteristics of BLE
    3. Core BLE Concepts You Should Know
    4. GAP (Generic Access Profile)
    5. GATT (Generic Attribute Profile)
    6. Central vs Peripheral (Device Roles)
    7. Advertising & Scanning
    8. BLE Connections
    9. Services & Characteristics (GATT Layer)
    10. Security in BLE
    11. Wrapping Up & What's Next
    Bluetooth Low Energy Overview

    What is BLE and How It Works?

    Bluetooth Low Energy (BLE) is a lightweight wireless communication protocol designed for short-range data transfer with minimal power consumption. It was introduced as part of the Bluetooth 4.0 standard to support battery-powered devices like smartwatches, fitness bands, medical sensors, and IoT gadgets.

    Unlike classic Bluetooth which is built for continuous streaming like music or large file transfers, BLE is optimized for brief, quick exchanges of small data packets. Think of it as a "check-in and move on" protocol.

    BLE works on the 2.4 GHz ISM band and uses a system of advertising and connecting. Devices either broadcast data or scan for other devices to connect with. Once connected, they follow a structured format using profiles, services, and characteristics to exchange data.

    Key Characteristics of BLE

    Low Power Consumption

    BLE is built to sip power, not gulp it. Ideal for devices like fitness trackers and smart locks that need to last months or even years on small batteries.

    2.4 GHz ISM Band

    Just like Wi-Fi and Classic Bluetooth, BLE operates at 2.4 GHz, but with a twist in how it uses that spectrum.

    40 Channel Structure

    BLE splits the 2.4 GHz band into 40 channels, each 2 MHz wide: 3 Primary Advertising Channels and 37 Data Channels.

    Adaptive Frequency Hopping

    BLE hops across channels to avoid interference from Wi-Fi, microwave ovens, or other nearby devices.

    Data Throughput

    Theoretical max: ~1 Mbps for BLE 4.x, BLE 5.x can go up to 2 Mbps. Real-world throughput is around 0.27 to 0.8 Mbps.

    Range

    Typically up to 10–50 meters indoors. BLE 5.x can push this up to 100+ meters in ideal conditions.

    BLE vs. Classic Bluetooth

    Feature Bluetooth Low Energy (BLE) Classic Bluetooth
    Purpose Small, bursty data - perfect for sensors & wearables Continuous data - great for audio, files
    Power Consumption Very Low (months/years on small battery) Higher - drains battery faster
    Data Transfer Rate Lower - but enough for its use cases Higher - needed for streaming, etc.
    Connection Time Fast (few milliseconds) Slower - takes longer to establish
    Compatibility Not compatible with Classic Bluetooth devices Can't talk to BLE-only devices
    Use Cases Smartwatches, fitness trackers, IoT Headphones, speakers, keyboards

    BLE Advantages

    • Very low power consumption
    • Fast connection establishment
    • Perfect for sensors & wearables
    • Ideal for IoT applications
    • Small, efficient data transfers

    Classic Bluetooth Advantages

    • Higher data transfer rates
    • Better for continuous streaming
    • Great for audio applications
    • Established ecosystem
    • Better for file transfers

    Core BLE Concepts You Should Know

    Before diving into packet logs, writing payloads, or reverse-engineering devices, it's important to understand the foundational building blocks of Bluetooth Low Energy (BLE). Here's everything you need to get started the right way.

    GAP (Generic Access Profile)

    GAP defines the rules for device discovery, advertising, and connections. It handles how BLE devices become visible, connect, and exchange roles.

    Key roles defined by GAP:

    • Peripheral: BLE device that advertises (e.g., smartwatches, sensors)
    • Central: Scanning and connecting device (usually a smartphone or PC)

    GAP also defines:

    • Advertising intervals & payloads
    • Connection parameters
    • Visibility modes (discoverable/non-discoverable)

    In short, GAP is the matchmaking layer—it makes sure the devices find each other and establish a connection in a power-efficient way.

    GATT (Generic Attribute Profile)

    Once connected, devices switch to GATT mode. This is where all the actual data communication happens.

    GATT is built around:

    • Services: Logical containers for grouping functionality (e.g., Heart Rate Service)
    • Characteristics: Individual data points or controls (e.g., current heart rate)

    Each characteristic can have properties:

    • Read: Get data from the device
    • Write / Write Without Response: Send data to the device
    • Notify: Get automatic updates when data changes
    • Indicate: Like notify, but requires acknowledgment

    The communication follows a request-response model over ATT (Attribute Protocol)—this is where we work with handles and hex values.

    Central vs Peripheral (Device Roles)

    Peripheral

    Usually a small, power-efficient device that passively advertises its presence. It doesn't initiate connections but waits for a Central.

    Central

    The active scanner. It scans for advertising devices and initiates the connection.

    These roles are fixed per session, but some devices (like smartphones) can switch roles dynamically if needed.

    Advertising & Scanning

    Advertising is the broadcast mechanism used by peripherals to announce their presence. These are small packets (max 31 bytes + 31 optional scan response bytes) that include:

    Device Name

    Available Services UUIDs

    Manufacturer-specific Data

    Connection Request Flags

    Scanning is how a Central listens for these packets. Once it finds a relevant device, it may initiate a connection request based on the advertisement data.

    Pro Tip:

    You can capture this process using HCI logs and analyze it with Wireshark.

    BLE Connections

    After a successful scan + connect, a secure and lightweight BLE connection is established. Key points:

    • Data is exchanged on 37 data channels (out of 40 total 2.4GHz channels)
    • Connection interval, latency, and supervision timeout are negotiated to save power
    • The link is maintained using regular connection events, even when no data is being sent

    Think of it as a chatroom they stay connected but don't need to talk constantly.

    Services & Characteristics (GATT Layer)

    Every BLE device exposes a GATT Profile, consisting of:

    Services

    e.g., Battery Service

    Characteristics

    e.g., Battery Level

    Properties

    Handle, UUID, Value

    Each characteristic has a handle, UUID, value, and properties. This hierarchy is what we interact with using tools like gatttool. When we do char-write-req -a 0x0035 we're writing to a specific characteristic handle.

    Each service and characteristic is identified using a 16-bit or 128-bit UUID, and the order matters because tools like Wireshark show them as grouped attributes.

    Security in BLE

    Pairing

    The process of creating a temporary encrypted link by exchanging cryptographic keys. This establishes a one-time secure session so that subsequent communication in that connection is encrypted.

    Bonding

    After pairing, devices can save (bond) the exchanged keys so that future reconnections between the same devices can automatically resume encryption without repeating the full pairing process.

    Association Models (how the keys are exchanged):

    Just Works

    No user input required—easy but vulnerable to MITM attacks.

    Passkey Entry

    One device displays a 6-digit code which the user enters on the other device, adding protection against eavesdropping.

    Numeric Comparison (BLE 4.2+)

    Both devices display a number; the user confirms they match to guard against MITM.

    Out of Band (OOB)

    Uses an external channel (e.g., NFC) to exchange data securely before pairing, offering the strongest protection.

    Wrapping Up & What's Next

    We've covered the basics of Bluetooth Low Energy—how it works, why it's used, key concepts like GAP, GATT, advertising, scanning, and how BLE devices communicate through services and characteristics. This foundation gives you the context needed to start interacting with real devices.

    Blog 2: BLE Communication Analysis

    We'll dive into the actual communication between a BLE smartwatch and its app—capturing it using HCI snoop logs, and analyzing it with Wireshark to uncover how the app talks to the device.

    Blog 3: Manual Device Interaction

    We'll use that information to manually connect to the device using gatttool, write custom values to it, and see how those changes reflect on the smartwatch.

    Let's move from learning how BLE works to actually making it work for us.

    Next BLE 102

    Ready to Explore BLE Security?

    Contact us for comprehensive IoT and BLE security assessments.

    GET ASSESSMENT