Jose Pico & Fernando Perera - Wireless Keystroke Injection (WKI) via Bluetooth Low Energy (BLE)

Jose Pico, Founder at LAYAKK
Fernando Perera, Security Analyst at LAYAKK

Presentation Title: Wireless Keystroke Injection (WKI) via Bluetooth Low Energy (BLE)
Length of presentation: 45 minutes
Demo, Tool, Exploit

"We present a Microsoft Windows vulnerability that allows a remote attacker to impersonate a Bluetooth Low Energy (BLE) keyboard and perform Wireless Key Injection (WKI) on its behalf. It can occur after a legitimate BLE keyboard automatically closes its connection because of inactivity. In that situation, an attacker can impersonate it and wirelessly send keys.
In this talk we will demonstrate the attack live and we will explain the theoretical basis behind it and the process that led us to discover the vulnerability. We will also release the tool that allows to reproduce the attack and we will detail how to use it."

Jose Pico is co-founder and senior security analyst in LAYAKK. Apart from carrying out red team activities and product security evaluations, he is a researcher in wireless communications security. In this field he has published books, articles and research in the form of talks in top events, both in Spain and worldwide. He is also an appointed member of the Ad hoc Working Group on the candidate European Union 5G Cybersecurity Certification Scheme (EU5G AHWG).

"Fernando Perera has been a Security Engineer at LAYAKK for 5 years, where he collaborates on RedTeam projects, development of security tools and software analysis. He has previously presented at RootedCON Satelite VLC 2016 and 2019, among other security events."


Related tools:
- Zephyr Project (
- Mirage Project ( and
- Sniffle (
Related papers:
- Bluetooth Core Specification (Revision: 5.2 - 2019-12-31). Core Specification Working Group
- Breaking Secure Pairing of Bluetooth Low Energy Using Downgrade Attacks. Yue Zhang, Jian Weng, Rajib Dey, Yier Jin, Zhiqiang Lin, and Xinwen Fu