Skip Navigation

September 7, 2023 |

Apple users getting ‘flipped off’ with iOS Bluetooth spam attacks

Loading table of contents...

A security researcher has recently developed a method to use a small portable pen testing tool, known as a Flipper Zero, to aggressively spam Apple device users with bogus Bluetooth connection requests.

After some minor tweaks to Flipper Zero’s firmware, it’s able to mimic the Bluetooth requests Apple uses to support discovery and connection between its devices. Devices on the receiving end of these requests will display a message, asking the user if they want to connect to the device that sent the request.

Flipper Zeros can repeatedly send these requests appearing to be from iPhones, AirTags, and Apple TVs, among other Apple devices. The attack also works when devices are in Airplane Mode, as Apple likely did not envision this type of abuse scenario when it developed the code for this feature.

The attacks are currently limited to devices within Bluetooth range; however, another researcher claims to have developed an amplifier which could increase the footprint of the attacks to thousands of feet. The researcher has opted not to release this feature due to abuse and security concerns.

Flipper Zero Device (Source: joom.com)

Source: Bleeping Computer

Analysis

As it stands right now, this attack is more of an annoyance than a real security threat, similar to when people use Apple’s AirDrop feature on planes to send unsolicited memes and other pictures to Apple users who accept the request.

Should the range of the attack increase, and it appears as though at least one method for this has been developed, the attack could evolve into a more serious threat. Especially if unsuspecting users accept the requests and subsequently connect to malicious devices.

Mitigation

Unfortunately, it does not appear that Apple has developed a patch for this issue. It’s likely that it will be addressed in an upcoming patch. Until then, Field Effect recommends that users of devices with Bluetooth capability ignore requests from unknown devices and contacts.  

References