Hacking device Flipper Zero can spam nearby iPhones with Bluetooth pop-ups

Thanks to a popular and relatively cheap hacking tool, hackers can spam your iPhone with annoying pop-ups prompting you to connect to a nearby AirTag, Apple TV, AirPods, and other Apple devices.

A security researcher who asked to be referred to as only Anthony demonstrated this attack using a Flipper Zero, a small device that can be programmed to perform wireless attacks on devices in its range, such as iPhones, but also car keyfobs, contactless and RFID cards, and more. Anthony’s attack is essentially a denial-of-service. By pushing persistent pop-ups, someone can make an iPhone nearly unusable.

Anthony told TechCrunch that he called it “a Bluetooth advertising assault.”

“It’s not just a minor inconvenience; it can disrupt the seamless experience that Apple users are accustomed to,” he wrote in a blog post explaining the issue.

Anthony said he tweaked the Flipper Zero firmware to broadcast what are called Bluetooth Advertisements, a type of transmissions in the Bluetooth Low Energy protocol that Apple uses to give iDevices owners the ability to connect to an Apple Watch, other Apple devices, and send pictures to other iDevice owners using the Bluetooth file sharing system AirDrop.

As Anthony put it, these are “broadcast signals that devices use to announce their presence and capabilities.”

Using a Flipper Zero, TechCrunch was able to reproduce this attack on an iPhone 8 and a newer iPhone 14 Pro.

TechCrunch tested the exploit by compiling the proof-of-concept code from the security researcher’s blog into a firmware software file, which we then loaded into a Flipper Zero device we have. Once we replaced the Flipper Zero’s firmware with our custom compiled code, simply switching on Bluetooth from the Flipper Zero device began broadcasting the pop-up signals to the nearby iPhones.

We used the proof-of-concept code to imitate a nearby AirTag, and the other code for transferring a phone number. Both tests worked, though we could not immediately reproduce the barrage of notifications. Using the proof-of-concept code, we tricked two nearby iPhones into thinking they were close to two AirTags, but found that the Bluetooth range was limited to close proximity, such as tapping the iPhone with the Flipper Zero. We also successfully tested the code designed to trick a nearby iPhone into displaying a phone number transfer dialog, but found that the Bluetooth range was far greater and captured multiple iPhones at the same time using a Flipper Zero on the other side of a room.

The exploits worked on iPhones both when Bluetooth was enabled or switched-off in the Control Center, but could not reproduce the exploit when Bluetooth was fully switched off from the Settings.

Security researchers have been focusing on highlighting how malicious hackers could abuse Bluetooth to annoy iPhone owners lately. During the Def Con hacking conference in Las Vegas in August, a researcher scared and confused attendees by making alerts pop-up on their iPhones. The researcher used a $70 contraption made of a Raspberry Pi Zero 2 W, two antennas, a Linux-compatible Bluetooth adapter, and a portable battery. Using this device, the researcher was able to mimic an Apple TV and spam nearby devices.

Anthony said that he devised an attack that can work over “thousands of feet,” using an “amplified board” that can broadcast Bluetooth packets at a higher range than regular Bluetooth Low Energy devices. Anthony said he is not releasing details of that technique “due to major concerns,” such as giving others the ability to send spam pop-ups “across vast distances, potentially spanning miles.”

The researcher said Apple could mitigate these attacks by ensuring the Bluetooth devices connecting to an iPhone are legitimate and valid, and also reducing the distance at which iDevices can connect to other devices using Bluetooth.

Apple did not respond to a request for comment.


Do you have information about similar hacks against iPhones? We’d love to hear from you. From a non-work device, you can contact Lorenzo Franceschi-Bicchierai securely on Signal at +1 917 257 1382, or via Telegram and Wire @lorenzofb, or email lorenzo@techcrunch.com. You also can contact TechCrunch via SecureDrop.

source

Leave a Reply

Your email address will not be published. Required fields are marked *