BlueShield: Detecting Spoofing Attacks in Bluetooth Low Energy Networks


Jianliang Wu, Yuhong Nan, and Vireshwar Kumar, Purdue University; Mathias Payer, EPFL; Dongyan Xu, Purdue University


Many IoT devices are equipped with Bluetooth Low Energy (BLE) to support communication in an energy-efficient manner. Unfortunately, BLE is prone to spoofing attacks where an attacker can impersonate a benign BLE device and feed malicious data to its users. Defending against spoofing attacks is extremely difficult as security patches to mitigate them may not be adopted across vendors promptly; not to mention the millions of legacy BLE devices with limited I/O capabilities that do not support firmware updates.

As a first line of defense against spoofing attacks, we propose BlueShield, a legacy-friendly, non-intrusive monitoring system. BlueShield is motivated by the observation that all spoofing attacks result in anomalies in certain cyber-physical features of the advertising packets containing the BLE device’s identity. BlueShield leverages these features to detect anomalous packets generated by an attacker. More importantly, the unique design of BlueShield makes it robust against an advanced attacker with the capability to mimic all features. BlueShield can be deployed on low-cost off-the-shelf platforms, and does not require any modification in the BLE device or its user. Our evaluation with nine common BLE devices deployed in a real-world office environment validates that BlueShield can effectively detect spoofing attacks at a very low false positive and false negative rate.

Open Access Media

USENIX is committed to Open Access to the research presented at our events. Papers and proceedings are freely available to everyone once the event begins. Any video, audio, and/or slides that are posted after the event are also free and open to everyone. Support USENIX and our commitment to Open Access.

@inproceedings {259723,
author = {Jianliang Wu and Yuhong Nan and Vireshwar Kumar and Mathias Payer and Dongyan Xu},
title = {{BlueShield}: Detecting Spoofing Attacks in Bluetooth Low Energy Networks},
booktitle = {23rd International Symposium on Research in Attacks, Intrusions and Defenses (RAID 2020)},
year = {2020},
isbn = {978-1-939133-18-2},
address = {San Sebastian},
pages = {397--411},
url = {},
publisher = {USENIX Association},
month = oct