Originally featured on my Medium publication: Open Source Skills
After reading about a recent iPhone bluetooth vulnerability from a variety of sources including TechCrunch, I decided to test this out for myself to see how hard it was to actually pull off.
So how hard was it?
Spoiler alert: Surprisingly easy!
The even more unfortunate part about this exploit is that it currently exists on recent versions of iOS 17, and there currently is no known way to prevent this other than disabling bluetooth. To be fair, the risk vector is quite low as there is no permanent hardware damage and it requires being in close proximity (within 5 meters), but still hopefully a patch is forthcoming from Apple soon.
Below is a step-by-step guide on how to replicate the attack with your own Flipper Zero. Please keep in mind that this information is for informational purposes only — exploiting devices you do not own is illegal
Step 1: Download Flipper Xtreme-Firmware
Go to https://github.com/Flipper-XFW/Xtreme-Firmware and follow the Install instructions (I recommend using the Web Installer for ease of use)
Step 2: Open BLE Spam app
Now that the Xtreme-Firmware has been installed, navigate to your Apps->Bluetooth folder by pressing the center button on the Flipper’s d-pad, and select BLE Spam
Step 3: Select Spam Attack
There are a total of 6 attacks available in the current version of BLE Spam :
- Kitchen Sink (Flood all attacks at once)
- iOS 17 Lockup Crash (Newer iPhones, long range). I can confirm that this one in fact does crash an iPhone 15 Pro Max, running on the latest version of iOS 17!
- Apple Action Modal (Lock cooldown, long range)
- Apple Device Popup (No cooldown, close range)
- Android Device Pair (Reboot cooldown, long range)
- Windows Device Found (Requires enabling SwiftPair)
Step 4: Test the Exploits
Make sure the Flipper Zero is directly next to the phone for your first test. I had varying degress of success testing the exploits at various ranges, but it always worked well when the devices were next to each other.
I’ve had both the Kitchen Sink and iOS 17 Lockup Crash attacks completely freeze my iPhone. In this case, just do a hard reset and your phone will boot up good as new.
The Android Device Pair attack on my Pixel 6 Pro wasn’t as bad — I never got it to crash my phone, but it’s still annoying nevertheless. Endless pop-ups render the phone unusable until disabling bluetooth.
Conclusion
As you can see, within a matter of a few minutes and the right hardware, you can easily exploit this. There is no patch for this currently, other than disabling bluetooth.
The implementations of this as-is seems to be more useful as a prank, but this vulnerability could be the tip of the iceberg. I’m sure Apple (and Google) are aware of this, so some sort of fix for this likely is coming down the wire at some point.