IoT Hacker Scanner

Bluetooth Low Energy Intelligence Engine

IDLE

Tactical Commands

[SYSTEM] Kernel initialized. Web-Bluetooth stack active.
[WARN] Browser context must be secure (HTTPS/Localhost).
[INFO] Ready for peripheral acquisition.
PROT: BLE_4.2_L2CAP

The Sovereign Auditor: Mastering the IoT Hacker Scanner

We live in a world where the air is thick with invisible conversations. Every smart lightbulb, fitness tracker, digital lock, and wireless headset is broadcasting its existence through Bluetooth Low Energy (BLE). For the security professional and the privacy-conscious individual, the ability to intercept and analyze these signals is the first step toward Digital Sovereignty. The IoT Hacker Scanner on this Canvas leverages the Web Bluetooth API to provide a clinical, browser-native interface for discovering peripherals and mapping the GATT (Generic Attribute Profile) services that define their behavior.

The Physics of Invisible Signals

To audit a BLE device, you must understand the relationship between signal strength and physical distance. The power of a radio signal decays over distance according to the Inverse Square Law. In the world of Bluetooth, we measure this using RSSI (Received Signal Strength Indicator). Here is the mathematical logic of the scanner in plain English:

1. The Distance Estimation Formula (LaTeX)

The distance ($d$) between your scanner and an IoT target can be approximated using the RSSI value and the Measured Power ($A$):

$$d = 10^{\frac{A - RSSI}{10n}}$$
Where $A$ is the RSSI at 1 meter, and $n$ is the path loss exponent (usually 2 to 4 depending on obstacles).

2. The Signal-to-Noise Ratio (SNR)

"A signal at -30 dBm indicates the device is literally in your hand or within inches. At -90 dBm, the signal is at the noise floor, likely at the edge of the building or behind heavy concrete walls."

Chapter 1: The Anatomy of a BLE Peripheral

Bluetooth Low Energy is designed for efficiency. Unlike "Classic" Bluetooth (used for high-bandwidth audio streaming), BLE peripherals sleep for 99% of the time, waking up only to broadcast tiny Advertising Packets. When our scanner acquires a target, it performs a GATT Handshake to reveal the internal structure of the device.

1. Services, Characteristics, and Descriptors

Think of a BLE device like a file cabinet. The Services are the drawers, and the Characteristics are the files inside. For example, a Heart Rate Monitor has a standard service (UUID: 0x180D). Inside that drawer, there is a characteristic (UUID: 0x2A37) that contains the actual heartbeat value. The IoT Hacker Scanner scans these UUIDs to identify what the device is—and what data it might be leaking.

2. Public vs. Random Private Addresses

To protect privacy, modern devices use Resolvable Private Addresses (RPA). They change their MAC address every few minutes so you can't be tracked as you walk through a mall. However, many poorly engineered IoT devices (like cheap smart home plugs or sensors) use Static Public Addresses. These are "Digital Fingerprints" that can be logged to track the exact physical location of a device owner over months or years.

TACTICAL AUDITING TIP: THE "REVEAL"

Linguistic and technical studies show that developers often name their characteristics in plain text. When you use this tool to scan a device, look for characteristics with the 'WRITE' property. If you can write data to an unauthenticated characteristic, you can potentially control the device's hardware (e.g., turning a light off or unlocking a door).

Chapter 2: The Security Vulnerabilities of the GATT Tree

The GATT (Generic Attribute Profile) is the primary attack surface for IoT hackers. Because BLE prioritizes low power consumption, manufacturers often skip Encryption and Pairing to save battery life. This creates "Open Peripherals" that anyone with a browser can connect to.

1. Unauthenticated Read/Write

Many smart devices broadcast "Sensitive Information" (like Wi-Fi passwords, user IDs, or sensor data) in plain text. If a characteristic doesn't require a bonded connection, our IoT Hacker Scanner can read those bytes instantly. In our console log, these appear as "Discovered primary services."

2. The "BlueBorne" Class of Attacks

While the Web Bluetooth API restricts certain low-level actions, it still allows you to identify if a device is running a vulnerable firmware version. By checking the Device Information Service (UUID: 0x180A), an auditor can find the manufacturer name and hardware revision, cross-referencing them with known CVE databases for remote code execution exploits.

Engaging Tip: The Signal Hot/Cold Game

You can use this tool as a physical "Fox Hunt" device. Connect to a device and watch the logs. If the device disappears (disconnects) or the RSSI drops significantly as you move, you are moving away from the source. This is the most effective way to find hidden "AirTags" or unauthorized tracking devices in your environment.

Chapter 3: The Physics of Path Loss (LaTeX)

When auditing high-security environments, you must account for Free-Space Path Loss (FSPL). This allows you to estimate if a signal is coming from inside a room or a reflection from outside. The formula is defined as:

$$FSPL(dB) = 20\log_{10}(d) + 20\log_{10}(f) + 20\log_{10}\left(\frac{4\pi}{c}\right)$$
Variables: $d$ = distance (m), $f$ = frequency (2.4GHz), $c$ = speed of light.

If you see a strong signal but the GATT Handshake fails, the signal may be a "Phantom Echo" caused by multipath interference—radio waves bouncing off metal cabinets or glass windows.

Chapter 4: The Ethics of the Scan

We provide this Canvas tool for educational and defensive auditing purposes only. Accessing a device you do not own or have permission to audit is a violation of the Computer Fraud and Abuse Act (CFAA) in the US and similar laws globally. Use the IoT Hacker Scanner to secure your own home, audit your company's smart office, and learn the mechanics of the wireless world. Sovereignty starts with responsibility.

Chapter 5: Technical Troubleshooting & FAQ

The Web Bluetooth API is a modern, high-security protocol. If your scan fails, it is likely due to one of these three browser-native safety barriers:

Why does the browser say "Bluetooth is not supported"?
Web Bluetooth requires a Secure Context (HTTPS). It will not work on http:// websites to prevent man-in-the-middle attacks. Additionally, it is currently supported in Chrome, Edge, and Opera. Firefox and Safari have currently disabled this API due to fingerprinting concerns. If you are on Android, ensure you are using the mobile version of Chrome.
Is my device safe if it's "Hidden"?
No. "Security through obscurity" is a fallacy. A device that is not broadcasting a name still has a MAC address and still uses the 2.4GHz spectrum. Sophisticated sniffers (like our tool's 'Accept All Devices' logic) can see the signal activity even if the SSID is masked. True safety comes from Pairing (Just Works vs Passkey) and Data Layer Encryption.

Reclaim Your Airspace

Stop letting your smart devices talk behind your back. Audit the GATT tree, identify the UUIDs, and secure your IoT ecosystem today.

Initiate Tactical Scan

Recommended Intelligence Tools

Indexing related hardware & RF utilities...