In September, 9to5Mac reported that Flipper Zero, a popular and cheap hacking tool, was being used to wreak havoc on nearby iPhones and iPads, spamming them with fake Bluetooth pop-ups until they eventually crashed.
Despite many iOS 17 updates since, including last week’s release of new iOS 17.2 betas, Apple has yet to implement safeguards to prevent the attack. So, what gives?
Flipper Zero attack using iPhone Bluetooth exploit
Out of the box, Flipper Zero can be a pretty harmless device. It’s sold as a portable multi-tool for penetration testers and hobbyists that can be programmed to control multiple radio protocols.
However, since the firmware is open source, it can be modified with new software that turns it into a low-orbiting ion cannon for bad actors to point at unsuspecting victims.
First pointed out by security researcher Techryptic, Ph.D., when additional software is loaded onto the Flipper Zero, it can then perform Denial of Service (Dos) attacks, spamming iPhones and iPads with an overwhelming amount of Bluetooth connection notifications that cause the device(s) to freeze up and then reboot. It takes about 5 minutes to gain full functionality again.
The attack uses a Bluetooth Low-Energy (BLE) pairing sequence flaw. Apple uses several BLE technologies in its ecosystem, including AirDrop, HandOff, iBeacon, HomeKit, and plenty to do with Apple Watch.
A prominent feature of BLE is its ability to send advertising packets, or ADV packets, to identify local devices on iPhones and iPads. It’s thanks to these packets, that activities such as pairing new AirPods or connecting to an Apple TV are done with a slick animated pop-up.
Unfortunately, these ADV packets can be spoofed, and this is what hackers are taking advantage of…with the help of a Flipper Zero.
Protecting against Flipper Zero attack
Flipper Zero has an okay-ish Bluetooth radio range of about 50 meters (~164 feet), which means pulling off DoS attacks will require hackers to be close but far enough to wreak havoc on coffee shops and sporting events without being detected.
What’s alarming about this attack is there’s no realistic way to protect devices yet.
Top comment by Peter Johnson
The solution is presumably to automatically suspend Bluetooth operation temporarily if there are too many messages incoming, or limit the queue size and discard any overflow, with a non-scary message.
Apple could do that If there were actually lots of reported cases of this in the wild, or a security threat was perceived, but I don’t see what people have to gain from this.
The only thing users can do is disable Bluetooth in the Settings app if they begin to notice unfamiliar Bluetooth pop-up notifications. Not a solution by any stretch. This will significantly limit functionality, and Apple will reenable it every time you update to the latest version of iOS.
What is Apple doing?
For a company with one of the best security track records, Apple has yet to acknowledge the BLE flaw that’s being exploited. The reason could be technical, but many believe Apple is not taking the exploit seriously as it doesn’t pose a big enough threat to users and/or user privacy.
Let us know what you think in the comments below.
Follow Arin: Twitter (X), LinkedIn
FTC: We use income earning auto affiliate links. More.
Comments