Thanks to a popular and relatively cheap hacking tool, hackers can spam your iPhone with annoying pop-ups asking you to connect to your AirTag, Apple TV, AirPods, and other Apple devices nearby.
A security researcher who asked to be identified only as Anthony demonstrated this attack using a Flipper Zero, a small device that can be programmed to carry out wireless attacks on devices within its range, such as iPhones, but also on car key fobs, wireless SIM cards, RFID cards, and more. The Anthony attack is essentially a denial of service. By pushing constant pop-ups, anyone can make their iPhone almost unusable.
Anthony told TechCrunch that he called it a “Bluetooth ad assault.”
“It’s not just a minor inconvenience; it can disrupt the seamless experience Apple users have become accustomed to he wrote in a blog post Explain this issue.
Anthony said he modified the Flipper Zero firmware to broadcast what is called Bluetooth adsa type of transmission in the Bluetooth Low Energy protocol that Apple uses to give iDevice owners the ability to connect to the Apple Watch and other Apple devices and send photos to other iDevice owners using the Bluetooth AirDrop file sharing system.
As Anthony puts it, these are “broadcast signals that devices use to announce their presence and capabilities.”
Using Flipper Zero, TechCrunch was able to reproduce this attack on the iPhone 8 and the newer iPhone 14 Pro.
TechCrunch tested the vulnerability by compiling proof-of-concept code from Security researcher blog Into a firmware file, which we then loaded into our existing Flipper Zero. Once the replacing The Flipper Zero firmware with our custom wrapper code, as soon as Bluetooth was turned on from the Flipper Zero device began broadcasting pop-up signals to nearby iPhones.
We used the proof-of-concept code to mimic a nearby AirTag, and the other code to relay a phone number. Both tests worked, though we couldn’t reproduce the barrage of notifications right away. Using proof-of-concept code, we tricked two nearby iPhones into thinking they were close to two AirTags, but found that Bluetooth range was limited at close range, such as tapping the iPhone with a Flipper Zero. We also successfully tested code designed to trick a nearby iPhone into displaying a phone number transfer dialog, but found the Bluetooth range to be much greater and captured multiple iPhones at the same time using the Flipper Zero on the other side of the room.
These vulnerabilities worked on iPhones when Bluetooth was enabled or turned off in Control Center, but were unable to reproduce these vulnerabilities when Bluetooth was turned off entirely from Settings.
Security researchers have focused on highlighting how malicious hackers have been abusing Bluetooth technology to inconvenience iPhone owners recently. During the Def Con hacking conference in Las Vegas in August, one researcher said Attendees are frightened and confused by creating pop-up alerts on their iPhones. The researcher used a $70 contraption made from a Raspberry Pi Zero 2 W, two antennas, a Linux-compatible Bluetooth adapter, and a portable battery. Using this device, the researcher was able to imitate the Apple TV and send spam messages to nearby devices.
Anthony said he devised an attack that could operate “thousands of feet away,” using an “amplified board” that could broadcast Bluetooth packets at a higher range than regular low-power Bluetooth devices. Anthony said he is not publishing details of the technology “due to significant concerns,” such as giving others the ability to send unwanted pop-ups “over vast distances, potentially extending for miles.”
Apple can mitigate these attacks by ensuring that Bluetooth devices connected to the iPhone are legitimate and valid, as well as reducing the distance that iDevices can communicate with other devices using Bluetooth, the researcher said.
Apple did not respond to a request for comment.
Do you have information about similar iPhone hacks? We would love to hear from you. From a non-work device, you can contact Lorenzo Franceschi-Bicchierai securely on Signal at +1 917 257 1382, via Telegram and Wire @lorenzofb, or email lorenzo@techcrunch.com. You can also contact TechCrunch via SecureDrop.