Blue Goat Cyber logoBlue Goat CyberSMMedical Device Cybersecurity
    K
    À La Carte Wireless Pen Testing

    BLE & RF Pen Testing for Connected Devices.

    Targeted wireless interface testing for BLE, Wi-Fi, NFC, and proprietary RF protocols - the attack surface generic pen testers can't reach. Reviewer-ready evidence for FDA premarket and EU MDR submissions.

    100+ wireless interfaces tested. Zero FDA rejections.

    • BLE & GATT
    • Wi-Fi & EAP
    • Proprietary RF / SDR
    • NFC & RFID
    • Free 30-min scoping call
    • Fixed-fee quote in 24 hours
    • Senior wireless tester, not a generalist
    • SDR + protocol fuzzing in-house
    • Re-test included
    Trusted by leading MedTech manufacturers since 2014 · See client outcomes and awards
    Christian Espinosa, Founder & CEO

    Reviewed by Christian Espinosa, MBA, CISSP · Founder & CEO

    Last reviewed

    Why Generic Pen Testers Skip the Wireless Interface

    Most penetration testing firms run nmap, nessus, and a Burp scan. None of those touch the actual radio. FDA's Feb 2026 guidance expects every interface to be exercised - and the wireless interface is where patient data leaves the device.

    No SDR or RF Tooling

    Without HackRF, Ubertooth, or a logic analyzer on hand, the tester literally cannot observe the protocol they're supposed to attack.

    BLE GATT Treated as a Black Box

    Generic firms enumerate services then stop. Real testing exercises every characteristic permission, pairing mode, and bonding edge case.

    No Threat-Model Linkage

    Findings arrive as a CSV of protocol oddities with no mapping to your AAMI TIR57 risk file - so reviewers can't trace the controls.

    Attack surface

    What We Actually Test

    Scope is à la carte - pick the radios in your device. We bring the lab, the SDRs, and the protocol expertise.

    Bluetooth Low Energy (BLE)

    • Pairing mode review (Just Works, Passkey, OOB, Numeric Comparison)
    • Bonding key storage and re-pairing abuse
    • GATT service and characteristic permission audit
    • MITM via active relay (Btlejack, GATTacker)
    • Connection parameter abuse and DoS
    • Privacy / address randomization validation

    Wi-Fi & 802.11

    • WPA2/WPA3 handshake capture and offline analysis
    • EAP method enumeration (PEAP, TLS, TTLS) and rogue AP
    • Association flooding, deauth, and Evil Twin scenarios
    • Captive portal and provisioning flow review
    • Hidden SSID and management frame abuse

    Proprietary & Sub-GHz RF

    • SDR capture (HackRF / LimeSDR / RTL-SDR) and demodulation
    • Protocol reverse engineering from physical layer up
    • Replay, jamming, and selective-jam scenarios
    • Cryptographic primitive review (rolling code, AES-CCM)
    • Fuzzing of identified protocol fields

    NFC, RFID & Cellular

    • NFC tag clone, replay, and relay (Proxmark3)
    • ISO 14443 / 15693 protocol abuse
    • Cellular modem AT-command surface review
    • SIM / eSIM provisioning flow inspection
    How it works

    Engagement Methodology

    Four phases. Two to four weeks. Reviewer-ready evidence at the end.

    1. 01

      Scoping & Threat Model Intake

      We review your AAMI TIR57 threat model, architecture diagrams, and intended-use radios. We agree on test environment (lab device vs. on-site), credentials, and out-of-scope frequencies.

    2. 02

      Lab Setup & Baseline Capture

      We build a controlled RF environment using shielded enclosures where required, baseline normal protocol behavior, and confirm coverage of every radio in scope.

    3. 03

      Active Testing & Exploitation

      Manual protocol attacks across pairing, association, and data flows. SDR-based fuzzing of proprietary layers. Each finding reproduced with packet captures saved as evidence.

    4. 04

      FDA-Ready Reporting & Re-test

      Findings mapped to your threat model, risk file, and the Feb 2026 FDA guidance. Re-test of remediated findings included until you pass.

    What's included

    Reviewer-ready deliverables in one engagement

    Every ble & rf penetration testing engagement ships with the artifacts FDA reviewers expect to see - traceable, complete, and aligned with current guidance.

    • BLE pairing, bonding, and GATT attribute testing
    • Wi-Fi association, EAP, and rogue-AP scenarios
    • Proprietary RF protocol fuzzing (sub-GHz, 2.4 GHz)
    • NFC/RFID replay, relay, and clone attempts
    • SDR-based capture, demod, and replay
    • Findings mapped to threat model + AAMI TIR57 risk file
    Pricing guidance

    Pricing Guidance

    Fixed-fee. We quote within 24 hours of a scoping call. Ranges below assume a single device under test in our lab.

    Single Radio

    $12k - $22k

    BLE-only wearable, single-protocol device, or a tightly-scoped retest of a previously assessed radio.

    • 1 radio interface in depth
    • Threat-model-aligned report
    • One round of re-test
    • AAMI TIR57 + FDA mapping

    Multi-Radio

    $22k - $45k

    Most connected devices: BLE + Wi-Fi, or BLE + proprietary RF, with a moderate GATT surface and OTA path.

    • 2-3 radio interfaces
    • GATT permission + pairing-mode matrix
    • SDR capture and protocol RE
    • Two rounds of re-test

    Complex / Proprietary

    $45k - $90k+

    Devices with proprietary sub-GHz protocols, mesh networks, or multiple paired peripherals (e.g., surgical platforms, infusion ecosystems).

    • Full protocol reverse engineering
    • Custom fuzzer development
    • Mesh / multi-peripheral scenarios
    • Dedicated senior wireless lead

    What drives the price

    • Number of distinct radios in scope (BLE, Wi-Fi, RF, NFC, cellular)
    • Whether the protocol is standards-based or proprietary
    • Test environment (our lab, your lab, on-site at hospital)
    • Need for shielded enclosure / FCC-controlled test conditions
    • Depth of GATT surface (number of services and characteristics)
    • Inclusion of OTA update path testing

    Ranges are guidance only. Actual quotes are fixed-fee after a 30-minute scoping call.

    Related Premarket services

    FAQ

    BLE & RF Pen Testing FAQs

    Ready to start BLE & RF Penetration Testing?

    BLE & RF Penetration Testing - scoped, fixed-fee, FDA-ready.

    Targeted wireless interface testing for BLE, Wi-Fi, NFC, and proprietary RF protocols - the attack surface generic pen testers can't reach. Reviewer-ready evidence for FDA premarket and EU MDR submissions.