BlueBait

Jun 2026

3 mins read

Bluetooth Low Energy BLE Security Privacy Tesla PhoneKey TEMPA Automotive Tracking Honeypot Attack

Bluetooth Low Energy BLE security privacy Tesla PhoneKey TEMPA automotive tracking honeypot Attack

BlueBait is the name of a technique that turns the open door of modern phone-as-key systems into a trap. Instead of passively waiting for a target vehicle or phone to appear, the attacker presents a tempting, attacker-controlled Bluetooth LE peer — a honeypot — that lures the victim’s phone into reaching out, revealing itself and connecting. The phone takes the bait.

BlueBait was presented as part of Project TEMPA v2 at BSidesVienna 0x7EA on the 27th of June 2026. Please follow the Project TEMPA link for an overview of the Tesla phone-key research it belongs to.

Background

Smartphones are increasingly replacing the traditional key fob. Over Bluetooth LE, the car trusts whatever phone is “close enough” to unlock and drive. After Tesla’s mitigations — UWB ranging against relay attacks and stronger Stranger-in-the-Middle (SitM) protection — the easy proximity tricks became harder. But one door has to stay open by design: a new, unpaired phone must still be able to connect to a car for the very first time. That “first contact” surface is exactly what BlueBait abuses.

Method

A classic attack is reactive: the attacker scans and waits for a recognizable device — a Tesla, or a paired phone — to come into range. BlueBait flips this around and makes the attack proactive:

Instead of waiting for the target, the attacker stands up a TEMPA honeypot — a BLE peer that advertises and behaves like the legitimate “first contact” surface a phone expects to find.
The honeypot presents a tempting peer. A phone that is looking to pair, reconnect, or simply react to a known advertisement takes the bait and reaches out.
By reaching out, the phone reveals itself — its presence, and depending on the platform more — and establishes a connection to the attacker’s device.

The result is that the attacker no longer depends on the victim happening to expose themselves; the honeypot actively provokes the phone into first contact.

Why it works

New and unpaired phones must be allowed to connect — this is a design requirement of the phone-key ecosystem, not a bug that can simply be patched away.
The honeypot impersonates precisely that mandatory “first contact” surface, so a well-behaved phone has every reason to respond.
iOS and Android behave differently here, but both bite.
SitM protection helps and raises the bar, but it cannot refuse all strangers without breaking the legitimate first-pairing experience.

Impact

Combined with the fact that a car (and, by correlation, its owner) still radiates a recognizable BLE presence, BlueBait moves the problem beyond passive tracking. Where tracking follows a target that shows up on its own, BlueBait summons the target — useful for confirming the presence of a specific phone or for drawing a phone-key into a controlled exchange. As phone keys spread to vehicles used in state and agency functions, “trackable and baitable” becomes an operational risk rather than just a privacy nuisance.

Status: Open

This is an inherent consequence of requiring an always-available first-contact surface for unpaired phones. Mitigation is about narrowing and hardening that surface (e.g. SitM), not closing it entirely.

People Involved

For questions about the BlueBait technique, feel free to ask Martin Herfurt.

Martin is an independent security researcher focusing - but not exclusively - on various aspects of product security related to Bluetooth wireless technology. As one of the co-founders of the trifinite.group, Martin worked with the Bluetooth SIG, helping the technology and its adopters overcome early design and implementation issues.