Tarlogic News

Tarlogic launches BSAM Checker, a free tool for automatically detecting vulnerabilities in Bluetooth devices

- Tarlogic Security
BSAM Checker is a tool that enables the automation of security tests on Bluetooth devices

• Tarlogic’s Innovation team presents free software at RootedCON that allows Bluetooth devices used by citizens and businesses to be audited to check that they have no vulnerabilities

• The company’s researchers have discovered that between 10 and 30% of devices have fixed MAC addresses, which opens the door to tracking people, launching targeted attacks, or launching massive attacks if vulnerabilities are discovered in the devices

Someone could know how your heart is beating, the content of an audio file sent to you, or the real-time location of your car. How? By exploiting vulnerabilities related to the Bluetooth connection of the smart devices we use in our daily lives.

Tarlogic Security has just presented BSAM Checker at Rooted, the largest Spanish-speaking cybersecurity conference. BSAM Checker is a 100% free program for performing automated Bluetooth security audits without the need for advanced knowledge, requiring only a computer and a Bluetooth dongle.

This solution, designed by the Tarlogic Innovation Team, is based on the BSAM methodology, presented two years ago, which enables the security assessment of Bluetooth devices to help manufacturers detect exploitable weaknesses in millions of smart devices and remediate them.

During his presentation, Antonio Vázquez Blanco, a researcher in Tarlogic’s Innovation Department, presented the research carried out together with Miguel Tarascó Acuña, director of this department, explained how the tool works, and shared the results of the tests carried out with the solution in urban environments and in spaces with high foot traffic, such as airports and stations.

During the work, it was discovered that between 10 and 30% of Bluetooth devices have fixed MAC addresses and that between 20 and 45% of these devices also publish their names. This means they can be tracked in real time during operation, thus jeopardizing people’s privacy and enabling hostile actors to track them.

In addition, tests have revealed that between 20% and 45% of devices with public MAC addresses allow pairing without the legitimate user’s interaction, opening the door for attackers to access confidential information such as medical data or phone call content.

With the launch of this free tool, Tarlogic renews its commitment to strengthening the security of the Bluetooth standard, used in millions of devices in businesses and homes around the world.

Enabling any business or citizen to check that their devices are not vulnerable

In recent years, businesses and homes have incorporated multiple smart devices. From wireless headphones and speakers to smart locks, medical devices such as heart rate monitors, pulse oximetry clips, or sleep units, or equipment that controls lighting, temperature, or air quality.

Cybercriminals are aware of this, and the exploitation of vulnerabilities in IoT devices that use the Bluetooth standard to connect has become a threat to the productive fabric and society.

BSAM Checker is a solution that makes it easy to assess the security of Bluetooth devices without advanced cybersecurity knowledge.

This 100% free program automates the main security checks of Bluetooth Security Assessment Methodology (BSAM), a methodology designed by Tarlogic’s Innovation Area to standardize the security assessment of devices that use Bluetooth technology.

All companies and citizens need to validate the security of their devices, including a dongle and a Windows computer, although a version of BSAM Checker for Linux and Mac is already in the works.

The program automatically performs security tests to detect whether a device has security or privacy vulnerabilities that, if exploited, could be used to successfully attack companies or individuals of interest, such as businesspeople, executives, or political leaders.

Thanks to BSAM Checker, users can notify manufacturers of device weaknesses and actively contribute to solving problems to prevent attacks, such as unauthorized access to medical information or real-time tracking of individuals.

Security and privacy issues detected with BSAM Checker

During the presentation of the BSAM Checker tool at Rooted 2026, Antonio Vázquez also made public the results obtained when testing the solution:

  • Between 10 and 30% of the devices evaluated with BSAM Checker have fixed MAC addresses. This poses a privacy problem because these addresses should be random and change over time to prevent devices from being tracked.
  • Between 20% and 45% of devices with fixed MAC addresses publish their generic names, which also facilitates device identification. This percentage is reduced for devices that do have random MAC addresses to between 5% and 15% of the devices analyzed.
  • Sixty percent of devices with public MAC addresses allow pairing without authentication, meaning that any user could connect to them and listen to calls or access critical data such as medical information. In addition, more than half of these devices support listing and interacting with GATT services.
  • Devices that do not have adequate signal strength have been detected.. For example, two or three meters. This wide range makes it easier for any malicious actor to see them and exploit their vulnerabilities.

Tracking people, targeted attacks, theft of high-value equipment, and even mass campaigns

The security and privacy deficiencies we have pointed out would allow malicious actors to carry out actions against companies and private citizens:

  • Targeted attacks and tracking of persons of interest using Bluetooth devices with public MAC addresses and generic names.
  • Tracking trucks carrying valuable cargo. Using BSAM Check, Tarlogic researchers have detected truck tachometers with fixed MAC addresses and publicly displayed names that match the truck’s license plate number. These weaknesses make it easy to track these trucks and could enable criminals to intercept them.
  • Interception of communications. Devices that allow pairing without authentication can be attacked to eavesdrop on conversations via headphones or smart speakers.
  • Access to medical information. Tarlogic researchers have detected healthcare devices, such as pulse oximetry clips, monitoring bracelets, and sleep units, with fixed MAC addresses, visible generic names, pairing without authentication, and accessible GATT services that allow vital signs, such as blood oxygen saturation, heart rate, and sleep status, to be read.
  • Theft of expensive equipment. Headphones or smart speakers are not usually expensive, but some medical equipment is, as are other sophisticated devices. For example, during a test with BSAM Checker, a radon detector valued at €10,000 was detected that publicly announced its name and whose signal was so powerful that it could be detected from a great distance, making it easily located.
  • Massive or uncontrolled attacks on multiple devices if vulnerabilities affecting them are made public.

Five years of contributing to strengthening the security of Bluetooth devices

Given this dangerous scenario, BSAM Checker becomes a key tool for detecting security or privacy weaknesses in devices that use Bluetooth connections and preventing attacks and security incidents that affect businesses or citizens.

The launch of BSAM Checker is a new milestone in Tarlogic’s ongoing effort to strengthen the security of the Bluetooth standard and the millions of devices that use it.

Over the last few years, Tarlogic’s Innovation Area has developed:

  • BlueTrust technology, which allows Bluetooth devices to be spoofed during critical activities such as forensic analysis conducted by security forces or Red Team exercises in companies.
  • The BSAM methodology standardizes Bluetooth security testing using controls that cover all key elements of protocol operation.
  • The BlueSpy tool checks whether it is possible to connect to devices without legitimate users being aware of it. For example, accessing wireless headphones, activating their microphones, and listening to and recording private conversations.
  • The BluetoothUSB driver enables the development of tools and proof-of-concept tests without requiring a wide variety of hardware.

Tarlogic’s commitment to innovation and the development of methodologies and tools seeks to facilitate security testing on millions of devices; prevent attacks against companies and citizens; promote the detection and remediation of vulnerabilities related to the Bluetooth standard; and work together with manufacturers to strengthen device security.

Tarlogic, a leader in the field of innovation and the development of cybersecurity solutions

Since Tarlogic Security was founded more than a decade ago, the company has grown to become an internationally renowned cybersecurity firm.

Tarlogic’s sustained growth over the years has been underpinned by its highly qualified staff of more than 150 professionals; a wide range of offensive and defensive cybersecurity services, cyber intelligence, and technical auditing; investment in innovation; and the development of cybersecurity software used in more than 70 countries.

The launch of BSAM Checker, presented at RootedCON, the largest cybersecurity event in Latin America, is the result of the work carried out by Tarlogic’s Innovation Department and the continuous effort to design problems that allow the security of technologies used in millions of devices, such as Bluetooth or WiFi, to be evaluated.

cyber intelligence cybersecurity DORA Red Team TLPT