The Menace of Bluetooth Spam Attacks: A Deep Dive into Flipper Zero
Digital security is becoming a pressing issue as smart devices become more prevalent. This was exemplified by discovering that a Flipper Zero device can flood nearby iPhones with Bluetooth pop-ups. This is a stark reminder of the cyber threats we face in our interconnected world.
The advent of Bluetooth spam attacks and the role of Flipper Zero in compromising digital security.
The Modus Operandi of Flipper Zero
The exploits were demonstrated by a security researcher, Anthony, who requested to be identified only by his first name. By leveraging Flipper Zero, a small, programmable device, he could initiate wireless attacks on devices within its range, including not just iPhones but also car key fobs, contactless cards, and more. The attack equates to a denial of service. A barrage of persistent Bluetooth pop-ups can render an iPhone nearly unusable.
Anthony described this exploit as a "Bluetooth advertising assault". Beyond being a minor inconvenience, it disrupts the seamless experience that Apple users are accustomed to. Anthony modified the Flipper Zero firmware to broadcast Bluetooth Advertisements, a type of transmission used in Apple's Bluetooth Low Energy protocol for connecting iDevices.
Testing the Exploit
TechCrunch replicated the exploit on two distinct models of iPhones, an iPhone 8 and a newer iPhone 14 Pro. The proof-of-concept code from Anthony's blog was compiled into a firmware software file and loaded into a Flipper Zero device. Upon activating Bluetooth on the Flipper Zero, the machine began broadcasting pop-up signals to the nearby iPhones.
The code was used to mimic a nearby AirTag, as well as for transferring a phone number. The tests were successful, though the barrage of notifications could only be partially replicated. The Bluetooth range was found to be limited to proximity, such as tapping the iPhone with the Flipper Zero. However, when the code intended to trick a nearby iPhone into displaying a phone number transfer dialog, the Bluetooth range was much more extensive, capturing multiple iPhones simultaneously using a Flipper Zero on the other side of a room.
Exploits and Mitigation
The iPhone exploits were successful regardless of whether Bluetooth was enabled or turned on or off in the Control Center. However, the exploit could not be replicated when Bluetooth was turned off entirely from the Settings. Anthony claims that he has created an attack that can work over thousands of feet by using an amplified board that can broadcast Bluetooth packets at a higher range than regular Bluetooth low-energy devices.
To prevent these attacks, the researcher suggests that Apple ensure that only legitimate and valid Bluetooth devices can connect to an iPhone. Additionally, Apple could reduce the distance at which iDevices can connect to other devices using Bluetooth. Despite this recommendation, Apple has yet to respond to the request for comment.