Ting Yang (Xidian University and Kanazawa University), Yue Qin (Central University of Finance and Economics), Lan Zhang (Northern Arizona University), Zhiyuan Fu (Hainan University), Junfan Chen (Hainan University), Jice Wang (Hainan University), Shangru Zhao (University of Chinese Academy of Sciences), Qi Li (Tsinghua University), Ruidong Li (Kanazawa University), He Wang (Xidian University), Yuqing Zhang (University of Chinese Academy of Sciences)
Bluetooth Low Energy (BLE) has become a foundational communication standard for modern connected devices. However, its complex design introduces subtle logic flaws, such as misinterpreted fields or invalid state transitions, that can enable authentication bypass, unauthorized control, or Denial-of-Service (DoS) attacks. These issues often evade conventional fuzzing and formal analysis.
To address this gap, we propose BSFuzzer, a black-box, context-aware semantic fuzzing framework guided by the Bluetooth Core Specification. BSFuzzer uses a Large Language Model (LLM) agent to semantically parse the Bluetooth specification, extracting state machines and packet semantics from text, diagrams, and context. It then generates two types of mutations: field-level violations of protocol rules and state-level disruptions of key transitions. These are composed into structured test sequences and executed on target devices. The LLM agent is further used to verify responses against expected behaviors, enabling detection of subtle logic flaws beyond the reach of traditional fuzzers.
We evaluated BSFuzzer on 19 real-world BLE devices, including 9 System-on-Chip (SoC) modules and 10 smartphones. It uncovered 36 security issues, including 34 previously unknown bugs, 9 of which have received CVE identifiers. Two critical flaws were recognized by a major vendor through bug bounty programs.
The experimental results indicate that BSFuzzer attains high accuracy in both LLM-based specification analysis (up to 97%) and response validation (up to 85.8%), demonstrating its effectiveness in semantic extraction and enhancing fuzzing performance. Compared to four state-of-the-art BLE vulnerability detection tools, BSFuzzer achieved 9.34% higher code coverage and exposed a broader class of vulnerabilities, demonstrating its effectiveness in uncovering deep interpretation inconsistencies in BLE protocol implementations.