Ting Yang (Xidian University and Kanazawa University), Yue Qin (Central University of Finance and Economics), Lan Zhang (Northern Arizona University), Zhiyuan Fu (Hainan University), Junfan Chen (Hainan University), Jice Wang (Hainan University), Shangru Zhao (University of Chinese Academy of Sciences), Qi Li (Tsinghua University), Ruidong Li (Kanazawa University), He Wang (Xidian University), Yuqing Zhang (University of Chinese Academy of Sciences)

Bluetooth Low Energy (BLE) has become a foundational communication standard for modern connected devices. However, its complex design introduces subtle logic flaws, such as misinterpreted fields or invalid state transitions, that can enable authentication bypass, unauthorized control, or Denial-of-Service (DoS) attacks. These issues often evade conventional fuzzing and formal analysis.
To address this gap, we propose BSFuzzer, a black-box, context-aware semantic fuzzing framework guided by the Bluetooth Core Specification. BSFuzzer uses a Large Language Model (LLM) agent to semantically parse the Bluetooth specification, extracting state machines and packet semantics from text, diagrams, and context. It then generates two types of mutations: field-level violations of protocol rules and state-level disruptions of key transitions. These are composed into structured test sequences and executed on target devices. The LLM agent is further used to verify responses against expected behaviors, enabling detection of subtle logic flaws beyond the reach of traditional fuzzers.

We evaluated BSFuzzer on 19 real-world BLE devices, including 9 System-on-Chip (SoC) modules and 10 smartphones. It uncovered 36 security issues, including 34 previously unknown bugs, 9 of which have received CVE identifiers. Two critical flaws were recognized by a major vendor through bug bounty programs.
The experimental results indicate that BSFuzzer attains high accuracy in both LLM-based specification analysis (up to 97%) and response validation (up to 85.8%), demonstrating its effectiveness in semantic extraction and enhancing fuzzing performance. Compared to four state-of-the-art BLE vulnerability detection tools, BSFuzzer achieved 9.34% higher code coverage and exposed a broader class of vulnerabilities, demonstrating its effectiveness in uncovering deep interpretation inconsistencies in BLE protocol implementations.

View More Papers

Dataset Reduction and Watermark Removal via Self-supervised Learning for...

Hao Luan (Institute of Big Data, Fudan University, Shanghai, China and College of Computer Science and Artificial Intelligence, Fudan University, Shanghai, China), Xue Tan (Institute of Big Data, Fudan University, Shanghai, China and College of Computer Science and Artificial Intelligence, Fudan University, Shanghai, China), Zhiheng Li (School of Control Science and Engineering, Shandong University, Jinan,…

Read More

The Case for LLM-Enhanced Backward Tracking

Jiahui Wang (Zhejiang University, Hangzhou, China), Xiangmin Shen (Hofstra University, Hempstead, NY, USA), Zhengkai Wang (Zhejiang University, Hangzhou, China), Zhenyuan Li (Zhejiang University, Hangzhou, China)

Read More

Icarus: Achieving Performant Asynchronous BFT with Only Optimistic Paths

Xiaohai Dai (Huazhong University of Science and Technology), Yiming Yu (Huazhong University of Science and Technology), Sisi Duan (Tsinghua University), Rui Hao (Wuhan University of Technology), Jiang Xiao (Huazhong University of Science and Technology), Hai Jin (Huazhong University of Science and Technology)

Read More