Can you test our device without source code or firmware images?

Yes. Wireless testing is inherently black-box at the radio layer. Source code helps us interpret findings faster and build a deeper GATT permission matrix, but we can run a complete engagement against a production unit alone.

Do we need to ship hardware to your lab, or can you come on-site?

Both. Most engagements happen in our lab - we have shielded enclosures, SDR rigs, and protocol analyzers ready. For sterile-field or fixed-install devices (e.g., surgical robots, MRI-adjacent systems) we travel on-site.

Will this satisfy FDA's expectation that every interface is tested?

Yes. The Feb 2026 FDA premarket cybersecurity guidance explicitly expects testing of every external interface. Our reports map each radio to your threat model, risk file, and the relevant guidance section so reviewers see the loop closed.

Do you cover proprietary RF, or only standards-based protocols like BLE and Wi-Fi?

Both. Proprietary sub-GHz and 2.4 GHz protocols are a specialty - we capture with SDRs (HackRF, LimeSDR), reverse engineer the framing and crypto, and build custom fuzzers when warranted.

What about regulatory test conditions - do we need an anechoic chamber?

Not for security testing. Our lab uses shielded enclosures to contain transmissions and avoid FCC issues. We are not an FCC certification lab - we test the protocol stack, not the radio's regulatory compliance.

How does this fit alongside a full medical-device pen test?

If you need full coverage (firmware, mobile app, cloud, wireless), our Medical Device Penetration Testing service bundles all of it. À la carte BLE/RF is best when you've already tested other interfaces or are filling a deficiency from a prior submission.

How long does a typical engagement take?

Two to four weeks for single- or multi-radio scopes. Complex proprietary protocols or mesh networks can extend to six to eight weeks depending on reverse-engineering depth.

What deliverables do we get?

Executive summary, technical findings with reproductions and packet captures, AAMI TIR57 risk-file mapping, FDA-ready evidence appendix, and a remediation re-test report after fixes land.

Can you respond to a specific FDA deficiency about wireless testing?

Yes. We routinely scope targeted engagements to close a specific AI-letter deficiency, with a turnaround designed to fit the 180-day FDA response window.

Do you need an NDA before scoping?

We sign mutual NDAs on request before any technical detail is exchanged. The 30-minute scoping call can also stay at the architecture-overview level until the NDA is in place.

À La Carte Wireless Pen Testing

BLE & RF Pen Testing for Connected Devices.

Targeted wireless interface testing for BLE, Wi-Fi, NFC, and proprietary RF protocols - the attack surface generic pen testers can't reach. Reviewer-ready evidence for FDA premarket and EU MDR submissions.

100+ wireless interfaces tested. Zero FDA rejections.

BLE & GATT
Wi-Fi & EAP
Proprietary RF / SDR
NFC & RFID

Scope My Wireless Pen Test

Free 30-min scoping call
Fixed-fee quote in 24 hours
Senior wireless tester, not a generalist
SDR + protocol fuzzing in-house
Re-test included

Trusted by leading MedTech companies since 2014

Reviewed by Christian Espinosa, MBA, CISSP · Founder & CEO

Last reviewed May 2026

Why Generic Pen Testers Skip the Wireless Interface

Most penetration testing firms run nmap, nessus, and a Burp scan. None of those touch the actual radio. FDA's Feb 2026 guidance expects every interface to be exercised - and the wireless interface is where patient data leaves the device.

No SDR or RF Tooling

Without HackRF, Ubertooth, or a logic analyzer on hand, the tester literally cannot observe the protocol they're supposed to attack.

BLE GATT Treated as a Black Box

Generic firms enumerate services then stop. Real testing exercises every characteristic permission, pairing mode, and bonding edge case.

No Threat-Model Linkage

Findings arrive as a CSV of protocol oddities with no mapping to your AAMI TIR57 risk file - so reviewers can't trace the controls.

What's included

Reviewer-ready deliverables in one engagement

Every ble & rf penetration testing engagement ships with the artifacts FDA reviewers expect to see - traceable, complete, and aligned with current guidance.

BLE pairing, bonding, and GATT attribute testing
Wi-Fi association, EAP, and rogue-AP scenarios
Proprietary RF protocol fuzzing (sub-GHz, 2.4 GHz)
NFC/RFID replay, relay, and clone attempts
SDR-based capture, demod, and replay
Findings mapped to threat model + AAMI TIR57 risk file

Attack surface

What We Actually Test

Scope is à la carte - pick the radios in your device. We bring the lab, the SDRs, and the protocol expertise.

Bluetooth Low Energy (BLE)

Pairing mode review (Just Works, Passkey, OOB, Numeric Comparison)
Bonding key storage and re-pairing abuse
GATT service and characteristic permission audit
MITM via active relay (Btlejack, GATTacker)
Connection parameter abuse and DoS
Privacy / address randomization validation

Wi-Fi & 802.11

WPA2/WPA3 handshake capture and offline analysis
EAP method enumeration (PEAP, TLS, TTLS) and rogue AP
Association flooding, deauth, and Evil Twin scenarios
Captive portal and provisioning flow review
Hidden SSID and management frame abuse

Proprietary & Sub-GHz RF

SDR capture (HackRF / LimeSDR / RTL-SDR) and demodulation
Protocol reverse engineering from physical layer up
Replay, jamming, and selective-jam scenarios
Cryptographic primitive review (rolling code, AES-CCM)
Fuzzing of identified protocol fields

NFC, RFID & Cellular

NFC tag clone, replay, and relay (Proxmark3)
ISO 14443 / 15693 protocol abuse
Cellular modem AT-command surface review
SIM / eSIM provisioning flow inspection

How it works

Engagement Methodology

Four phases. Two to four weeks. Reviewer-ready evidence at the end.

01

Scoping & Threat Model Intake

We review your AAMI TIR57 threat model, architecture diagrams, and intended-use radios. We agree on test environment (lab device vs. on-site), credentials, and out-of-scope frequencies.
02

Lab Setup & Baseline Capture

We build a controlled RF environment using shielded enclosures where required, baseline normal protocol behavior, and confirm coverage of every radio in scope.
03

Active Testing & Exploitation

Manual protocol attacks across pairing, association, and data flows. SDR-based fuzzing of proprietary layers. Each finding reproduced with packet captures saved as evidence.
04

FDA-Ready Reporting & Re-test

Findings mapped to your threat model, risk file, and the Feb 2026 FDA guidance. Re-test of remediated findings included until you pass.

Pricing guidance

Pricing Guidance

Fixed-fee. We quote within 24 hours of a scoping call. Ranges below assume a single device under test in our lab.

Single Radio

$12k – $22k

BLE-only wearable, single-protocol device, or a tightly-scoped retest of a previously assessed radio.

1 radio interface in depth
Threat-model-aligned report
One round of re-test
AAMI TIR57 + FDA mapping

Multi-Radio

$22k – $45k

Most connected devices: BLE + Wi-Fi, or BLE + proprietary RF, with a moderate GATT surface and OTA path.

2–3 radio interfaces
GATT permission + pairing-mode matrix
SDR capture and protocol RE
Two rounds of re-test

Complex / Proprietary

$45k – $90k+

Devices with proprietary sub-GHz protocols, mesh networks, or multiple paired peripherals (e.g., surgical platforms, infusion ecosystems).

Full protocol reverse engineering
Custom fuzzer development
Mesh / multi-peripheral scenarios
Dedicated senior wireless lead

What drives the price

Number of distinct radios in scope (BLE, Wi-Fi, RF, NFC, cellular)
Whether the protocol is standards-based or proprietary
Test environment (our lab, your lab, on-site at hospital)
Need for shielded enclosure / FCC-controlled test conditions
Depth of GATT surface (number of services and characteristics)
Inclusion of OTA update path testing

Ranges are guidance only. Actual quotes are fixed-fee after a 30-minute scoping call.

Get a fixed-fee quote

FAQ

BLE & RF Pen Testing FAQs

In their words

Backed by MedTech leaders.

"Blue Goat Cyber's depth of expertise was impressive. We had no in-house cybersecurity experience, and their team guided us through every step of the FDA process. The penetration testing and SBOM testing were thorough and gave us complete confidence."

Hank Tucker

CEO · MedTech Manufacturer

Ready to start BLE & RF Penetration Testing?

BLE & RF Penetration Testing - scoped, fixed-fee, FDA-ready.

Scope My Wireless Pen Test See all services