blue-tap 2.6.2

Bluetooth/BLE Penetration Testing Toolkit for Automotive IVI Systems

Bluetooth/BLE Penetration Testing Toolkit for Automotive IVI Systems

Documentation · CLI Reference · CVE Matrix · Changelog

---

Blue-Tap is a Bluetooth Classic and BLE security assessment framework designed to find both known and unknown vulnerabilities in Bluetooth stacks. It targets automotive IVI systems, mobile devices, IoT endpoints, and embedded firmware — anything with a Bluetooth radio. 101 modules across 6 families cover the full pentest lifecycle from device discovery through 0-day hunting via protocol-aware fuzzing. A DarkFirmware capability on RTL8761B controllers extends testing below the HCI boundary into the Link Manager and Link Controller layers, reaching the 40-45% of the Bluetooth attack surface that host-only tools cannot see.

Features

Discovery & Reconnaissance — Classic and BLE device scanning, SDP/GATT enumeration, L2CAP/RFCOMM channel probing, device fingerprinting, HCI capture, BLE/LMP sniffing, capability detection, and cross-probe correlation. Guide

Vulnerability Assessment — 25 CVE detections (behavioral + compliance) and 11 non-CVE posture checks covering L2CAP, BNEP, SDP, AVRCP, GATT, HID, SMP, and pairing protocols. CVE Matrix

Exploitation — KNOB (CVE-2019-9506), BIAS (CVE-2020-10135), BLUFFS (CVE-2023-24023), CTKD (CVE-2020-15802), encryption downgrade, SSP downgrade, connection hijack, and PIN brute-force. Guide

Denial of Service — 9 CVE-backed crash probes and 21 protocol stress tests across L2CAP, SDP, RFCOMM, BNEP, HFP, OBEX, LMP, and pairing with automatic recovery monitoring. DoS Matrix

Post-Exploitation — Phonebook extraction (PBAP), message access (MAP), call audio (HFP), audio streaming (A2DP), media control (AVRCP), file push (OPP), Bluesnarfer (OBEX), and AT command probing. Guide

Protocol Fuzzing — 16-protocol mutation fuzzer with coverage-guided, state-machine, targeted, and random-walk strategies. Crash database, payload minimization, CVE reproduction, and live Rich dashboard. 6,685+ seeds. Guide

DarkFirmware (Below-HCI) — RTL8761B firmware patching for LMP injection, link-layer monitoring, and controller memory R/W. Reaches the 40-45% of Bluetooth CVEs invisible to host-only tools. Hardware Setup

Reporting & Sessions — Professional HTML and JSON reports with 11 per-module adapters. Persistent sessions for multi-phase assessments. Guide

Installation

Prerequisites

• Linux (Kali recommended)
• Python 3.10+
• BlueZ 5.50+ (bluetoothctl, hcitool, btmon)
• At least one Bluetooth HCI adapter
• Root privileges for Bluetooth operations

Optional: RTL8761B USB dongle (e.g., TP-Link UB500) for DarkFirmware / below-HCI attacks.

Via PyPI

pip install blue-tap

From Source

git clone https://github.com/Indspl0it/blue-tap.git
cd blue-tap
pip install -e .

Verify Installation

blue-tap --version          # Should print 2.6.2
blue-tap doctor             # Check all prerequisites
sudo blue-tap adapter list  # List Bluetooth adapters

See the full Installation Guide for detailed setup, including DarkFirmware flashing and the IVI simulator.

Usage

Blue-Tap follows a phase-verb workflow that mirrors a real-world Bluetooth pentest:

discover  →  recon  →  vulnscan  →  exploit  →  dos  →  extract  →  fuzz  →  report

Quick Start

# 1. Find nearby Bluetooth devices
sudo blue-tap discover classic -d 20

# 2. Deep recon on a target
sudo blue-tap recon 4C:4F:EE:17:3A:89 sdp
sudo blue-tap recon 4C:4F:EE:17:3A:89 fingerprint

# 3. Scan for vulnerabilities (25 CVE + 11 posture checks)
sudo blue-tap vulnscan 4C:4F:EE:17:3A:89

# 4. Exploit a confirmed vulnerability
sudo blue-tap exploit 4C:4F:EE:17:3A:89 knob --yes

# 5. Extract data post-exploitation
sudo blue-tap extract 4C:4F:EE:17:3A:89 contacts --all

# 6. Generate HTML report
blue-tap report --format html --output report.html

Automation

# Full automated assessment against a single target
sudo blue-tap auto 4C:4F:EE:17:3A:89 --yes

# Fleet scan — discover and assess all IVI devices in range
sudo blue-tap fleet --duration 20 --class ivi

# Run a playbook
sudo blue-tap run-playbook --playbook ivi-full-audit.yaml

Fuzzing

# Multi-protocol fuzzing campaign
sudo blue-tap fuzz campaign 4C:4F:EE:17:3A:89 -p sdp -p rfcomm --duration 2h

# Crash analysis
blue-tap fuzz crashes list --protocol sdp --severity HIGH
blue-tap fuzz minimize CRASH_ID

See the full CLI Reference for all commands and options.

Documentation

Full documentation is hosted at Indspl0it.github.io/blue-tap

Section	Description
Getting Started	Installation, hardware setup, quick start, IVI simulator
CLI Reference	Every command, option, and example
CVE Detection Matrix	37 CVEs across vulnscan, exploitation, and DoS
DoS Matrix	30 DoS checks with severity and recovery monitoring
Workflows	End-to-end pentest recipes
Developer Guide	Architecture, module system, writing modules, plugins
Troubleshooting	Common issues and fixes
Changelog	Release history

Legal Disclaimer

Blue-Tap is provided for authorized security testing and research purposes only. You must have explicit written permission from the owner of any device you test. Unauthorized access to Bluetooth devices is illegal under the Computer Fraud and Abuse Act (CFAA), the UK Computer Misuse Act, and similar laws worldwide. The authors accept no liability for misuse. Report vulnerabilities responsibly to the affected manufacturer.

License

GNU General Public License v3.0 — Copyright (C) 2026 Santhosh Ballikonda

---

Santhosh Ballikonda — @Indspl0it