Hackers can attack your iPhone using Bluetooth advertising packets, even if you’re in Airplane Mode, and effectively prevent you from being able to use it. It’s only a matter of time, one security researcher warns, before malicious actors start employing similar tactics to steal credentials by faking trusted notifications.
Def Con iPhone Hacking Shenanigans
During the Def Con 2023 hacking conference in Las Vegas in August, someone managed to hack the hackers. Well, sort of. They used a Raspberry Pi and some other cheap bits and pieces to send Bluetooth advertising packet pop-ups to any iPhone within range. That these pop-ups require no Bluetooth pairing to appear is a feature, not a bug. It caused a fuss at the time, as it seemed that someone was exploiting some kind of Apple zero-day as it impacted people who had disabled Bluetooth via the iOS control center using Airplane Mode. Of course, this wasn’t the case, but for a few hours, people who knew about such things were wondering.
Hacker Flips iPhone Availability Switch Using BLE Attack
Then, as I reported on 6 September for Forbes, things got a bit more serious. A vulnerability researcher and reverse engineering hacker known as Techryptic detailed how they could use a similar technique to create a denial of service attack against iPhones. Instead of a Raspberry Pi, however, Techryptic employed a $169 hacking Swiss Army knife known as a Flipper Zero. Once flashed with the appropriate firmware, this readily available gadget could be used to spoof those advertising packets using Bluetooth Low Energy protocols. By so doing, someone can spam nearby iPhones with these BLE-powered packets, such as a request to connect with Apple TV as a new user. Continuously sending these packets denies service to the target device, effectively crashing your iPhone.
First iPhone Denial Of Service Attack In Public Reported
Fast-forward a couple of months, and the attack methodology has hit the headlines again, with Ars Technica reporting that such a denial of service incident hit a security researcher during a train journey. It looks like someone has now created a script to execute the Bluetooth advertising packet spamming attack using a suitably flashed Flipper Zero.
As far as I can tell, such attacks are few and far between and fall under the just-for-lolz category currently. It’s no laughing matter, however, if you need your iPhone for something critical and cannot use it at that moment because some clown thinks it’s funny. Indeed, there is the potential for this attack methodology to evolve into something much more malicious, as Techryptic warned back on 1 September: “There’s potential for malicious actors to exploit this for nefarious purposes, such as a type of phishing attack by mimicking trusted notifications.”
Flipper Zero Attack Impossible Without Firmware Switch
A Flipper Zero spokesperson told me that the company had “taken necessary precautions to ensure the device can’t be used for nefarious purposes” and that such an attack was impossible to execute using the default hardware. “Since the firmware is open source, individuals can adjust it and use the device in an unintended way, but we don’t promote this and condone the practice if the goal is to act maliciously.” As already mentioned, it’s quite possible for precisely the same denial of service attack to be carried out by someone using a Raspberry Pi together with an antennae and Bluetooth adaptor.
To protect yourself from such an attack would require you to have Bluetooth disabled from the settings menu or to be running in Lockdown Mode. However, any attacker must be at reasonably close range to pull off such an attack using a Flipper Zero, as the Bluetooth range is quite limited. That’s assuming this device was being used and signal-boosting additions had not been used. In the meantime, I wouldn’t worry too much as it remains an unlikely threat vector for now.
I have approached Apple for a statement but had not heard back at the time of publication.