Flipper Zero Bluetooth Attack
Berk Boyraz
So far, it was possible to spam through proximity paring messages only iOS devices, either using Flipper Zero, Arduino board or any Android as explained in my previous blog here. However, recently developers of Xtreme firmware for Flipper Zero pushed and update of BLE Spam application that besides spamming iPhones can also spam Android and Windows devices. This update is not available in officially released version of Xtreme firmware, however you can download it as dev release. This dev updates are available on XFW Discord or you can download it easily from here.
In this blog I will test it using Flipper Zero against iOS, Android and Windows at once and show you how to send these Bluetooth Low Energy (BLE) spam messages from any Android smartphone and even customize them.
This is another level; you can locally spam three major operating systems at once using Flipper Zero. It is a local attack, however, based on my tests, for long distance BLE messages it is around 50 meters when targeting iOS and Android. For Windows, the range is less than a meter.
Once user taps on Start, Flipper starts to send advertisement beacons simulating connection requests from five defined devices such as Bose NC 700, JBL Buds Pro, JBL Live 300TWS, JBL Flip 6, and Pixel Buds. You can see the notifications below. These notifications are displayed only if user has enabled Scan for nearby devices option, which is enabled by default.
To target Windows, these notifications are displayed if Windows has enabled Show notifications to connect using Swift Pair, which is enabled by default on Windows 10. From BLE Spam menu select Windows Device Found and one of the hard-coded messages will be displayed on the right bottom of Windows machine, see Figure 7.
Can you recognize who is in the last notification? It is Talking Sasquach. This custom pop-up was built specifically for him, since he is cooperating and consulting new BLE Spam features with Spooks4576 developer. If you would like to know more, I advise you to check his recent YouTube video about Flipper Zero Custom BLE Spam for Android & Windows.
To impersonate one of five defined devices that would pair with Android, you need to create a new advertising packet and add three records. Starting with Service Data. In the first row define FE2C as UUID which represents Fast Pair service. In the second row, enter HEX value that represents a device to impersonate. The list of five devices is available on Flipper Xtreme Firmware Github and for convenience I copied it below:
Android uses a model where the same device can send only few paring (around five) notifications in a row, and then it will be ignored by the system. If Android users would like to prevent even these notifications, they can disable them in Settings -> Google -> Devices & sharing -> Devices -> Scan for nearby devices as you can see in Figure 15. or by disabling Bluetooth.
This is a power of your signal. It is the strongest if set to 1dBm. You can easily change it in Options menu when editing Advertising packet. I explained this steps in my previous blog: -hacker.com/2023/09/07/spoof-ios-devices-with-bluetooth-pairing-messages-using-android/ Feel free to check it out.
Hi first of all, thanks for this article ! Inspired by your Guide i created an Android App to play around with that stuff. Currently it supports the Google Fast Pairing (Android Nearby) Popups by just clicking one Button in the App. I plan to take a look at iOs and Windows Spoofing next. Maybe some people are interested in it:
Some attacks for devices which may be sent some prompt through bluetooth causing some phones to fail due to BLE Spam. In this instance of attack, a device with bluetooth on has no choice but to receive the prompt over and over.
Hello! For the past year I have been trying to make an alternative or a device similar to the flipper zero. Let's just say I couldnt make it. I have esp32 wroom, breadboard, jumper wires, and a non colour 0.92 inch OLED display and some pushbuttons.
A recent event shows how simple devices like the Flipper Zero can have dangerous consequences. attacks can be. The Flipper Zero has a Bluetooth LE radio, which means it can send custom crafted BLE packets. A recent DDOS capability is to send packets pretending to be a device that needs a connection such as AirPods or other devices sold by Google and Apple.
To make pairing with devices easy, Apple and Google platforms show users notifications for these devices. The Flipper Zero and similar platforms can spam Android and iOS devices by pretending to be these devices, flooding them with so many packets and notifications that it caused systems to crash. Obviously they never imagined someone could experience this.
This is where the problem starts. People have been using the flipper zero to crash apple devices, and at the Midwest FurFest convention some people were impacted. In this case, an insulin pump controlled via Bluetooth LE, where Android is crashing because of this:
64591212e2