BLERP: BLE Re-Pairing Attacks and Defenses
Tommaso Sacchetti
Network and Distributed System Security (NDSS) Symposium 2026 · Day 1 · Cross-Domain Attacks
Bluetooth Low Energy (BLE) pairing security has been extensively studied, but every prior attack assumed the devices were pairing for the **first time**. This talk reveals that **re-pairing** -- when two previously bonded devices establish a new pairing key -- is fundamentally insecure. The researchers discovered **six vulnerabilities** (four new) in the BLE specification itself, affecting all compliant devices, and developed **four attacks** that enable unauthenticated central and peripheral impersonation, security level downgrade, and man-in-the-middle interception.
AI review
Clean protocol-level vulnerabilities in BLE re-pairing that affect every compliant device, with zero-click exploitation, full MITM capability, and a CVE at CVSS 8.8 against NimBLE. The attacks are devastatingly simple -- impersonate a bonded device, trigger re-pairing, downgrade security -- and the fact that the entire prior literature missed the re-pairing attack surface makes this a genuine contribution.