Editor’s note: Updated at 11 a.m. PT with a statement from Flipper Devices and information about a prior similar project on GitHub.
The iPhone makes it easy to connect to Bluetooth devices, such as AirTags or AirPods. However, a hacker has discovered a way to hijack your iPhone and flood it with prompts to connect to devices, making it difficult to use the iPhone.
A security researcher called Techryptic (identified as “Anthony” by TechCrunch) wrote a blog post and made a video demonstration on how a Flipper Zero can be used to flood an iPhone with the connection notifications that you usually see with Bluetooth devices. As Techryptic puts it, an attacker can “effectively launch a DDOS [distributed denial-of-service] notification attack on any iOS device.” The barrage of notifications would make it practically impossible for anyone to use the iPhone.
According to the Flipper Zero website, a Flipper Zero is a $169 device used to, “explore any kind of access control system, RFID, radio protocols, and debug hardware using GPIO pins.” Techryptic used Flipper Zero to broadcast Bluetooth Advertisements that are used by Apple devices to allow users to make connections.
Flipper Devices, the company behind the Flipper Zero, sent a statement to Macworld, saying that this functionality is not possible to do on the default Flipper Zero hardware. “We have taken necessary precautions to ensure the device can’t be used for nefarious purposes,” said a Flipper Devices representative. “Since the firmware is open source, individuals can adjust it and use the device in an unintended way, but we don’t promote this and condone the practice if the goal is to act maliciously.”
Techryptic states that this attack can be used simply as a prank or for security research. Techryptic also noted that a future blog post will explain how it can be used maliciously. Techryptic’s blog post says the Flipper Zero has a limited range, so an attacker needs to be within close proximity of the target. But TechCrunch was told that a Flipper Zero could be outfitted with an “amplified board” to extend the range to “thousands of feet.”
Macworld received an email claiming that Techryptic’s work is based on a project called AppleJuice, which is posted to the GitHub account of ECTO-1A and includes “scripts [that] are an experimental PoC [proof of concept] that uses Bluetooth Low Energy (BLE) to send proximity pairing messages to Apple devices.” The AppleJuice project was created on GitHub on August 24 and was inspired by a demonstration of persistent iPhone Bluetooth pop-ups at Def Con last month.
How to protect yourself from fake Bluetooth notifications
Techryptic or the AppleJuice project do not state if Apple had been notified of the security hole. Considering the tone of the Techryptic post–it was titled, “Annoying Apple Fans”–Apple likely did not receive notice from Techryptic prior to the post. Typically, security researchers do not reveal their findings until Apple has released a fix.
TechCrunch reports that Apple can mitigate the attacks “by ensuring the Bluetooth devices connecting to an iPhone are legitimate and valid, and also reducing the distance at which iDevices can connect to other devices using Bluetooth.” With that in mind, the way Apple would implement a fix is through an iOS update, so it’s important to keep your iPhone up-to-date.
But until Apple issues a fix, it’s important to keep in mind that this attack is rare because the only practical way a user can protect themselves is to turn off Bluetooth, which isn’t ideal. If you get an unfamiliar notification to connect to a device, be cautious and take precautions–turn down the request if you can. Since this attack could inundate your iPhone with notifications, you may have to try leaving the area and shutting down your phone to stop the attack.