The Flipper Zero platform has been a boon for penetration testing. If you don’t know about it, it has several interfaces such as Bluetooth, 915MHz, NFC and others. Even more, it has the ability to capture and replay signals, or to perform attacks already in place.
A recent event shows how simple devices like the Flipper Zero can have dangerous consequences. attacks can be. The Flipper Zero has a Bluetooth LE radio, which means it can send custom crafted BLE packets. A recent DDOS capability is to send packets pretending to be a device that needs a connection such as AirPods or other devices sold by Google and Apple.
To make pairing with devices easy, Apple and Google platforms show users notifications for these devices. The Flipper Zero and similar platforms can spam Android and iOS devices by pretending to be these devices, flooding them with so many packets and notifications that it caused systems to crash. Obviously they never imagined someone could experience this.
This is where the problem starts. People have been using the flipper zero to crash apple devices, and at the Midwest FurFest convention some people were impacted. In this case, an insulin pump controlled via Bluetooth LE, where Android is crashing because of this:
It’s very likely that the person running this attack is just trying to annoy. But the consequences are real. Lack of Insulin can be a life threatening condition, and while the person doing this attack may think it’s just an annoyance, it can obviously have a real impact.
Apple seems to have mitigated the Flipper Zero BLE spamming issue in iOS 17.2 by throttling the notifications significantly, but not eliminating them (or the simple pairing mechanism would be impacted). The only way to really avoid this issue is disabling Bluetooth in either iOS or Android to avoid receiving the packets. Android still doesn’t seem to have mitigated the issue, but we’d expect this to be addressed at some point.
Obviously both Apple and Google had a failure of imagination – they didn’t realize people would do this in practice.
We love devices like Flipper Zero, but the flip side of having these devices is that it makes attacks much more accessible to people which may not consider the ramifications. Even when it’s an attack intended to mostly annoy. At the same time, now that this issue is known, it’s being addressed.
More Information
Flipper Zero can now spam Android,
Windows users with Bluetooth alerts