Bluetooth monitoring
Guardian Air passively monitors Bluetooth Low Energy (BLE) advertising traffic to discover nearby devices and detect BLE-based spoofing attacks.
Overview
Guardian Air uses a Nordic Semiconductor nRF module to capture Bluetooth Low Energy (BLE) advertising frames. BLE advertising is the mechanism that Bluetooth devices use to announce their presence before pairing. By capturing these frames, Guardian Air builds a picture of all BLE devices operating in the environment without connecting to any of them. Guardian Air synchronizes the data to Vantage for analysis and alert generation.
What Guardian Air discovers
During BLE monitoring, Guardian Air collects the following information for each detected device.
| Data point | Description |
|---|---|
| media access control (MAC) address | The device address reported in the advertising frame. May be a public address, a static random address, or a resolvable private address (RPA) that rotates over time. |
| Device name | The advertised local name of the device, if present in the advertising data. |
| Manufacturer | The manufacturer identifier derived from the company identifier (ID) field in the advertising payload, if manufacturer-specific data is present. |
| Advertising type | The type of advertising frame: connectable undirected
(ADV_IND), connectable directed (ADV_DIRECT_IND), non-connectable
(ADV_NONCONN_IND), scan response (SCAN_RSP), or extended
advertisement (ADV_EXT_IND). |
| Service UUID | The Bluetooth service class universally unique identifier (UUID) advertised by the device, used to indicate potential device type or capability. |
| Signal strength (received signal strength indicator (RSSI)) | The received signal strength in dBm, used to estimate proximity. |
Attack detection
Guardian Air includes a BLE detection engine that uses signature-based detection to identify known payload patterns associated with advertisement spoofing tools such as the Flipper Zero. These tools send crafted BLE advertising packets that trigger notifications or dialogs on nearby devices.
| Attack type | Description |
|---|---|
| Bluetooth settings flood | Repeated BLE advertisements using the human interface device (HID) service UUID (0x1812), designed to trigger repeated Bluetooth
settings prompts on nearby devices. Generated by Flipper Zero and
similar tools. |
| Apple device popup | Crafted BLE packets that mimic Apple accessory advertisements, causing unsolicited pairing popups on iOS and macOS devices. |
| Apple action modal | BLE packets that trigger Apple action sheets, such as AirDrop or AirPods prompts, on nearby Apple devices. |
| Android device connect | Crafted BLE advertisements that trigger connection prompts on Android devices. |
| Samsung Buds popup | BLE packets that mimic Samsung Galaxy Buds advertisements, triggering setup popups on Samsung devices. |
| Samsung Watch pairing | BLE packets that mimic Samsung Galaxy Watch advertisements, triggering pairing prompts on Samsung devices. |
| Windows device found | BLE packets that trigger Windows device found notifications on nearby Windows computers. |
| SweynTooth — malformed connection request | A malformed BLE connection request that exploits the SweynTooth vulnerability, known to cause crashes on affected devices. |
| Flipper Zero device detection | A Flipper Zero device is detected on the BLE network. Detection confidence varies with the signature. |
| Packet injection/spam | Excessive or irregular BLE advertising packets detected, often characteristic of spam tools or jamming devices. |
Hardware
BLE monitoring uses a Nordic Semiconductor nRF module connected via universal serial bus (USB)
(interface ttyble0). The module operates in the 2.4 GHz ISM band
and captures BLE advertising frames across the three primary advertising
channels (channels 37, 38, and 39).