After building the WiFi handshake capture tool, I wanted to explore the other radio on the ESP32 — Bluetooth Low Energy. The result is a comprehensive BLE scanner with security auditing capabilities and a cyberpunk-style interface on a TFT display.
It scans for nearby BLE devices, tracks their signal history, identifies device types automatically, flags potentially vulnerable services, and displays everything in real-time across four rotating display modes.
What it does
- Active BLE scanning — continuously scans all three BLE advertising channels (37, 38, 39) in 3-second cycles with a 99ms scan window. Catches everything from fitness trackers to AirTags.
- Device type recognition — automatically classifies devices as phones, watches, trackers, beacons, or peripherals based on name patterns, advertised service UUIDs, and signal characteristics.
- Security auditing — detects devices broadcasting services openly without encryption. Flags exposed service UUIDs that could be enumerated. Tracks vulnerability count in real-time.
- RSSI history tracking — maintains signal strength history (10 readings per device) with visual graphs. Useful for understanding signal propagation and device proximity.
- Four display modes — Device List (signal + type + vulnerability), Statistics (device breakdown + signal distribution), Threats (vulnerable devices highlighted), and Signal Graph (RSSI trends for top 3 devices). Auto-rotates every 10 seconds.
Technical decisions
The scanner tracks up to 100 devices simultaneously with a circular buffer for RSSI history. Memory management on a microcontroller is real — 15–20KB for device tracking, 5KB for the display buffer. Stale devices time out after 45 seconds to keep the list relevant.
I built two display versions: ILI9341 (2.4”, 320×240) for detail, and ST7735 (1.8”, 128×160) for portability. Same software SPI wiring, same GPIO pins — just a different driver. The cyberpunk colour scheme isn’t just aesthetic: green for strong signals, yellow for medium, red for weak or vulnerable. You read the display from across a room.
Device type detection uses a priority system: name patterns match first (anything with “watch” or “band” in the name), then advertised service UUIDs, then signal characteristics for beacon-like behaviour. Unknown devices stay marked as unknown — the tool doesn’t guess.
What I learned
BLE is everywhere. In a typical room, there are 20–40 devices advertising — most of them invisible to their owners. Fitness trackers, earbuds, smart home sensors, even some cars. The advertising space is crowded and noisy.
The security lesson: many consumer BLE devices broadcast services openly because convenience beats security in consumer electronics. Understanding this isn’t about exploitation — it’s about knowing what your own devices are telling the world.