This tiny device is sending updated iPhones into a never-ending DoS loop

 

One morning two weeks ago, security researcher Jeroen van der Ham was traveling by train in the Netherlands when his iPhone suddenly displayed a series of pop-up windows that made it nearly impossible to use his device.

 

“My phone was getting these popups every few minutes and then my phone would reboot,” he wrote to Ars in an online interview. “I tried putting it in lock down mode, but it didn't help.”

 

To van der Ham’s surprise and chagrin, the same debilitating stream of pop-ups hit again on the afternoon commute home, not just against his iPhone but the iPhones of other passengers in the same train car. He then noticed that one of the same passengers nearby had also been present that morning. Van der Ham put two and two together and fingered the passenger as the culprit.

“He was blithely working on some kind of app on his Macbook, had his iPhone out himself, connected through USB so he could still work while all around him apple devices were rebooting and he was not even paying attention to what was happening,” he said. “Your phone becomes almost unusable. You can still do stuff in between for a couple of minutes, so it's really annoying to experience. Even as a security researcher who had heard about this attack, it's really hard to realize that that is what's going on.”

“The jig is up”

The culprit, it turned out, was using a Flipper Zero device to send Bluetooth pairing requests to all iPhones within radio range. This slim, lightweight device has been available since 2020, but in recent months, it has become much more visible. It acts as a Swiss Army knife for all kinds of wireless communications. It can interact with radio signals, including RFID, NFC, Bluetooth, Wi-Fi, or standard radio. People can use it to covertly change the channels of a TV at a bar, clone some hotel key cards, read the RFID chip implanted in pets, open and close some garage doors, and disrupt the normal use of iPhones.

 

These types of hacks have been possible for decades, but they require special equipment and a fair amount of expertise. The capabilities generally required expensive SDRs—short for software-defined radios—that, unlike traditional hardware-defined radios, use firmware and processors to digitally re-create radio signal transmissions and receptions. The $200 Flipper Zero isn't an SDR in its own right, but as a software-controlled radio, it can do many of the same things at an affordable price and with a form factor that’s much more convenient than the previous generations of SDRs.

 

“The jig is up: software radios have made previously inaccessible attacks available to many more people than before, and work on them will continue,” Dan Guido, CEO of security firm Trail of Bits, wrote in an interview. “People who are casually interested in technology can now easily clone most hotel or office keycards. They don't need any knowledge of signals or have to mess with open source code or Linux. [It] definitely democratizes some formerly complex RF [radio frequency] hacking into the hands of mere mortals.”

 

The Flipper Zero manufacturer bills the device as a “portable multi-tool for pentesters and geeks” that’s suitable for hacking radio protocols and building access control systems, troubleshooting hardware, cloning electronic key cards and RFID cards, and for use as a universal TV remote. Its open source design allows users to flash the device with custom firmware to take on new capabilities.

 

Some of the specs for the device include:

 

• 1.4-inch monochrome LCD display
• GPIO pins for connecting external hardware that greatly expands its capabilities
• USB-C port for power and firmware updating
• micro SD card slot
• Infrared transceiver
• Sub-1 GHz antenna
• TI CC1101 chip
• 1-Wire pogo pin for reading contact keys
• 2000 mAh battery
• Low power MCU
• ARM Cortex-M4 32-bit 64 MHz (application processor)
• ARM Cortex-M0+ 32-bit 32 MHz (radio processor)

 

 

 

“The idea of Flipper Zero is to combine all the hardware tools you'd need for exploration and development on the go,” the manufacturer wrote. “Flipper was inspired by pwnagotchi project, but unlike other DIY boards, Flipper is designed with the convenience of everyday usage in mind—it has a robust case, handy buttons, and shape, so there are no dirty PCBs or scratchy pins.”

 

Despite its multifaceted capabilities, the Flipper Zero seems best known in recent weeks for its iPhone DoSing capabilities. The way Bluetooth works on iPhones and iPads makes them especially susceptible. Van der Ham flashed his device with custom firmware called Flipper Xtreme, which he acquired on a Discord channel devoted to the Flipper Zero. One firmware setting sends a constant stream of messages announcing the availability of a BLE (Bluetooth low energy) device nearby. This constant stream can be annoying for users of any device, but it doesn’t crash phones. A separate setting, labeled “iOS 17 attack,” is the one the train prankster used.

 

Van der Ham re-created the attack in a controlled environment, which worked just as it had during his earlier train commute.

 

Screenshot of an iPhone displaying pop-up

 

 

Curiously, the researcher could not make the attack crash iPhones running iOS versions prior to 17.0. Apple representatives didn’t respond to an email asking if the company plans to issue updates to prevent the crash-inducing stream of pop-ups.

They were never secure

For now, the only way to prevent such an attack on iOS or iPadOS is to turn off Bluetooth in the Settings app. As TechCrunch reporter Lorenzo Franceschi-Bicchierai discovered, using the Control Center to disable Bluetooth allows the unwanted Bluetooth notifications to continue unabated.

 

The Android and Windows platforms can reportedly be DoSed by Flipper Zero when it runs Flipper Xtreme. Bleeping Computer posted a video showing that the firmware appeared to flood a Samsung Galaxy phone with a never-ending flood of pop-ups, but it wasn’t immediately clear if the device ultimately crashed. (Van der Ham didn't test the non-iPhone settings.) To block such attacks on Android, open settings and search for “nearby share” (it’s located in slightly different places depending on the hardware manufacturer and Android version). Then toggle off “show notification.” On Windows, open Bluetooth settings and ensure that “Show notifications to connect using Swift Pair” is unchecked.

 

Unfortunately, the attacks have the potential to be so disruptive that it can be hard or impossible to make the necessary system changes when they’re ongoing.

 

Guido said there are many things Flipper Zero currently cannot do. Stealing a car is one of them since most key fobs use protocols that work on different radio frequencies than what a Flipper can access today. While attending the Defcon hacker conference in Las Vegas in August, he also confirmed that the device cannot clone key cards used at MGM hotels because they require hardware not currently available in the Flipper Zero. Moreover, the cards' manufacturer, HID, has added encryption that automatically protects information as it passes from the card to a reader.

 

Still, there's little doubt devices like the Flipper Zero are broadening the hacking capabilities of radio frequency (RF) devices all around us. The expansion will only grow as newer generations of the device are introduced.

 

“A lot of these simple RF technologies we use every day were not safe because no one put in the work to break them,” Guido said. “They were never secure. And now all those RF systems are open to being hacked by simple tools like a Flipper. But this is how everything goes. Attacks get better, become more accessible, and poorly secured technology eventually catches up.”