A security researcher caused something of a kerfuffle during the Def Con 2023 hacking conference in Las Vegas last month. Some attendees with iPhones were shocked to see an Apple pop-up notification asking them to connect to a nearby Apple TV device using their Apple ID credentials. Not least, as some of the hackers on the receiving end of these Bluetooth-powered prompts were running with Bluetooth disabled. Or so they thought. Now, another security researcher has demonstrated a similar hack that uses a readily available hacking device to spam nearby iPhones with pop-up notifications and effectively execute a denial of service attack.
The Def Con 2023 iPhone Hacker
In the case of the iPhone Def Con hacker, a scrap-built device was constructed using a Raspberry Pi, a couple of antennas, and a Bluetooth adaptor. This then enabled them to convince any nearby iPhones that it was an Apple TV and send what are known as Bluetooth advertising packets. The critical thing is that these packets require no Bluetooth pairing, so they appear.
The Flipper Zero iPhone Hack Attack Explained
Now, another researcher has pulled off a similar proof-of-concept attack using a readily available hacker gadget called a Flipper Zero. This gadget can, among other things, spoof the aforementioned advertising packets using Bluetooth Low Energy protocols. This Flipper Zero hack will repeatedly send the notification signal so that the pop-up is continuously displayed.
Going by the name of Techryptic, this vulnerability researcher, reverse engineer, and technology enthusiast blogged that “this mimicry can be more than just an annoyance” for iOS users. The scenarios for using this form of Bluetooth spamming attack include prancing someone with an influx of device notification pop-ups, testing BLE implementations for vulnerability detection purposes, and, most worryingly, for malicious intent.
“While less common,” Techryptic writes, “there’s potential for malicious actors to exploit this for nefarious purposes, such as a type of phishing attack by mimicking trusted notifications.”
It’s important, however, to note that this is impossible using the default Flipper Zero hardware. “We have taken necessary precautions to ensure the device can’t be used for nefarious purposes,” a Flipper Zero spokesperson says, “Since the firmware is open source, individuals can adjust it and use the device in an unintended way, but we don’t promote this and condone the practice if the goal is to act maliciously.” The spokesperson went on to state that, potentially, someone could repurpose an Android phone, for example, with custom firmware to achieve the same result. “This is why” they concluded, “we agree with the researcher that Apple should implement safeguards and eliminate the problem at its core.”
This Hack Still Works With Bluetooth Disabled From iPhone Control Center
The attack method works even when Bluetooth has been disabled using airplane mode from the control panel, which may surprise you. In which case, you’ll be shocked to discover that disabling Bluetooth this way, erm, doesn’t. Instead, you’d need to disable it directly from your device settings or run your iPhone in Lockdown Mode to prevent these advertising pop-ups from being received.
How To Prevent This New iPhone Bluetooth Hack Attack
The good news is that an attacker would need to be at close range for the Flipper Zero hack to work, as it has a pretty limited Bluetooth range. However, while Techryptic isn’t making the details public, TechCrunch reported that an amplified board has been built that can transmit the necessary signals “across vast distances, potentially spanning miles.”
I have approached Apple for a statement but had not heard back at the time of publication. Hopefully, Apple is paying attention and will take the advice from Techryptic to ensure that Bluetooth device connections “are legitimate and valid” in iOS 17, as well as reduce the workable distance for such connections.