Standard attack pattern

Draft

CAPEC-666: BlueSmacking

An adversary uses Bluetooth flooding to transfer large packets to Bluetooth enabled devices over the L2CAP protocol with the goal of creating a DoS. This attack must be carried out within close proximity to a Bluetooth enabled device.

Last updated June 1, 2026

Medium

Typical severity

Per MITRE

Medium

Likelihood of attack

Per MITRE

1

Related weaknesses

CWEs this targets

Standard

Abstraction

MITRE classification

Overview

CAPEC-666 (BlueSmacking) is a standard-level attack pattern catalogued by MITRE in the Common Attack Pattern Enumeration and Classification (CAPEC). It describes a recurring method attackers use to exploit software weaknesses.

How the attack works

The phases an attacker typically follows to carry out this attack.

Step 1
Explore
[Scan for Bluetooth Enabled Devices] Using BlueZ along with an antenna, an adversary searches for devices with Bluetooth on.
- Note the MAC address of the device you want to attack.
Step 2
Experiment
[Change L2CAP Packet Length] The adversary must change the L2CAP packet length to create packets that will overwhelm a Bluetooth enabled device.
- An adversary downloads and installs BlueZ, the standard Bluetooth utility package for Linux.
Step 3
Exploit
[Flood] An adversary sends the packets to the target device, and floods it until performance is degraded.

What the attacker needs

Prerequisites

The system/application has Bluetooth enabled.

Skills required

Low skill: An adversary only needs a Linux machine along with a Bluetooth adapter, which is extremely common.

Consequences

What a successful CAPEC-666 attack can achieve.

Unreliable Execution, Resource Consumption

Affects: Availability

How to mitigate it

Defenses that reduce the risk of CAPEC-666.

Disable Bluetooth when not being used.
When using Bluetooth, set it to hidden or non-discoverable mode.

How to detect it

Indicators that this attack may be underway.

Performance is degraded or halted by incoming L2CAP packets.

Terminology & mappings

Mapped taxonomies

ATTACK: Network Denial of Service: Direct Network Flood (1498.001)
ATTACK: Endpoint Denial of Service: OS Exhaustion Flood (1499.001)

Frequently asked questions

Common questions about CAPEC-666.

What is CAPEC-666?

An adversary uses Bluetooth flooding to transfer large packets to Bluetooth enabled devices over the L2CAP protocol with the goal of creating a DoS. This attack must be carried out within close proximity to a Bluetooth enabled device.

How does a BlueSmacking attack work?

It typically unfolds over 3 phases. It begins with: [Scan for Bluetooth Enabled Devices] Using BlueZ along with an antenna, an adversary searches for devices with Bluetooth on.

How do you prevent CAPEC-666?

Disable Bluetooth when not being used.

What weaknesses does CAPEC-666 target?

CAPEC-666 exploits 1 CWE weakness, including CWE-404 (Improper Resource Shutdown or Release).

How severe is CAPEC-666?

MITRE rates CAPEC-666 as Medium severity with medium likelihood of attack.

References

Attack-pattern data is sourced from the MITRE CAPEC catalog (v3.9). Weakness associations link to the corresponding CWE entries on RadicalNotion.AI.

Defend against CAPEC-666

Track the CVEs and weaknesses attackers exploit with this technique, with AI-written analysis and remediation guidance.

Start free See pricing

What the attacker needs

Overview

How the attack works

What the attacker needs

Prerequisites

Skills required

Consequences

How to mitigate it

How to detect it

Related weaknesses

Related attack patterns

Parent

Terminology & mappings

Mapped taxonomies

Frequently asked questions

What is CAPEC-666?

How does a BlueSmacking attack work?

How do you prevent CAPEC-666?

What weaknesses does CAPEC-666 target?

How severe is CAPEC-666?

References

Defend against CAPEC-666