Crashing iPhones with a Flipper Zero

The Flipper Zero is an incredibly versatile hacking device. Now it can be used to crash iPhones in its vicinity by sending them a never-ending stream of pop-ups.

These types of hacks have been possible for decades, but they require special equipment and a fair amount of expertise. The capabilities generally required expensive SDRs­—short for software-defined radios­—that, unlike traditional hardware-defined radios, use firmware and processors to digitally re-create radio signal transmissions and receptions. The $200 Flipper Zero isn’t an SDR in its own right, but as a software-controlled radio, it can do many of the same things at an affordable price and with a form factor that’s much more convenient than the previous generations of SDRs.

Tags: , , , ,

Posted on November 6, 2023 at 9:45 AM15 Comments

Comments

emily’s post November 6, 2023 10:28 AM

Grasshopper, a quarterstaff wielded by unskilled hands is no different from a gift presented to your adversary.

Sid Justice November 6, 2023 10:54 AM

Anyone in possession of FZ can have it concealed in their pocket, sitting or walking in a park, and harvest your contact info, phone, address, name – if you happen to walk near by with your chipped doggie. US CBP seized that shipment of 15K of FZs but released them again. Why? Because they KNOW that any dipstick can google how to put together an SDR using RasPi or Lime SDR, etc. – cheaply. You can’t stop the progress/evolution. Try you can.

Clive Robinson November 6, 2023 12:47 PM

@ Bruce,

The author of the article needs to “get out more”

“The $200 Flipper Zero isn’t an SDR in its own right, but as a software-controlled radio, it can do many of the same things at an affordable price…”

You can get an SDR that transmits 10mW over a much greater range and for greater distance than the tamacotchy like Flipper Zero for about 1/10th the price. And a Single Board Computer”(SBC) more capable than the Flipper Zero for a quater that price.

There is also a 15USD “childs toy” you can buy that uses the same radio chip as the Flipper and it’s control chip is reprogramable.

The only thing the Flipper realy has going for it is it has a more newbie friendly OS and cool case. Which in turn has caused a lot of “Me Too Projects” to be easily available for download.

But I’m not at all surprised about BlueTooth jamming it’s way to easy to do and the details are fairly freely available on the Web. Oh and remember, on newer Apple and Android phones that got through C19, bluetooth is not truely switchrd off under user control any more.

Also with other devices “Jam a GSM phone” that still supports 2G is almost trivially possible. I mentioned there was a YouTube page highlighting some of this over on the Squid page earlier today, the site is,

https://m.youtube.com/@RobVK8FOES/videos

But it’s far from alone.

The simple fact is that few if any systems that are designed for “consumer use” on an “Over The Air”(OTA) interface are secure, especially if the organisation behind it is a well known “French Infested” European Agency who have produced so many backdoored stream encryption systems (look up A5/1 on Wikipedia).

And the way the EU Council of Ministers are going, everything will have a backdoor for alledged CSAM prevention reasons, that any sane person will realise will quickly get abused in many ways (look at the current nonsense in India where those who are in oposition to the incumbent are discovering quite nasty stuff being hidden on their phones etc by malware that just “walks in a backdoor”.

Fazal Majid November 6, 2023 1:10 PM

Apple’s software has a shockingly bad record of parser vulnerabilities. It’s likely their shoddy QA practices don’t include any fuzzing at all, and in their complacency they are falling further behind the other Big Tech companies that have invested in technologies like profile-guided fuzzing.

lurker November 6, 2023 2:33 PM

Blutooth-LE huh? Our local supermarket recently got new shelf price tags that can be instantly changed via a comms chip in the corner. My first thought was: how secure?

@Clive: while I share your enthusiasm for cobbling up hacks from bits and bobs, the Flipper device must surely be a more civilised way to pentest a supermarket.

Shane November 6, 2023 3:11 PM

@lurker
@Clive: while I share your enthusiasm for cobbling up hacks from bits and bobs, the Flipper device must surely be a more civilised way to pentest a supermarket.

How about an android phone with a SDR plugged into it? The flipper looks out of place in general, let alone if you connect a BLE or WiFi expansion board to it. It’s a fun toy, but any risk it poses is much more concerning when attacked with other, much more capable devices such as the HackRF One, the Ubertooth One, or in the case of wifi a laptop.

Clive’s mention of an SBC might conjure images of a cobbled together replacement for the flipper however the flipper isn’t the best or most capable device and it looks just as out of place as a raspberry pi Zero with a battery pack would.

lurker November 6, 2023 4:23 PM

@Shane

Concealed in a pocket a Flipper would look just as out of place as a pack of cigarettes, about the same size …

Why? November 6, 2023 6:48 PM

@Shane

Re: watch?v=GmfM8VCAu-I

I get that it’s possible to do a lot on a small form factor, but what is the point of installing Kali on a non-rooted device? Mediated access to the hardware would make it mostly useless for pen-testing, no? A lot of the comments on that youtube video seem inauthentic to me

Clive Robinson November 6, 2023 7:54 PM

@ lurker, Shane,

Re : Size is generally inversely related to noticability.

“while I share your enthusiasm for cobbling up hacks from bits and bobs, the Flipper device must surely be a more civilised way to pentest a supermarket.”

I design small prototype payloads for aerospace type applications.

The smallest devices I’ve knocked up in the past have been about the same size as a larger stamp sized coin cell. The design in one case being four layers two outer solar cells an inner coin cell and the nano sized SBC and RF comms board. As such it was sufficient to be space worthy and be heard from LEO or closer.

You can get something similar from Apple themselves without the solar cells but in a rugged plastic housing and with a buzzer, they call an air-tag…

More recently I’ve been involved with desiging “EM sensor pods” for drones. Thing about the size of the slightly bigger “test tube” or smaller aluminium cigar tube.

Such devices can include a compleate SDR that can also TX and a WiFi or BlueTooth USB dongle stripped down.

Whilst a little “power hungry” it would happily be hidden on your forearm –held in place with elastoplast– under your shirt and talk to a smart watch or phone.

In fact for quite a bit of “hacking” you actually don’t need anything more than a Smart Watch and an App as the RF interfaces you most likely will need come “built right in” on a “System On a Chip”(SoC) microcontroller device. As the WiFi, BlueTooth, NFC, etc “Over The Air”(OTA) / wireless interfaces are not just now standard but as ubiquitous as ketchup these days, especially in IoT devices.

For instance have a look at some of the PCBs in the smaller IoT light bulbs or ultra small CCTV units some of which come with cheap consumer drones.

Or for the more technically minded look at what you can get for pocket change –in quantity– from an RF SoC manufacturer like Nordic Semiconductors,

https://www.nordicsemi.com/products/nrf52832

Like as not the “Supermarket price tags” you mention use similar.

DarkCity on a Hill November 6, 2023 8:12 PM

This Flipper Zero and similar gadgets are going to cause MAJOR troubles for safety and security of many people worldwide I’m afraid. We all know that there are too many unstable individuals out there off leash, ready to toy with other people’s well being or even livelihood. Take for instance, blue-tooth hearing-aids. Many people wearing them are controlling them through their smartphones so how does one go about protecting himself from sudden volume increase in hearing aids to the max – that would really hurt. These things must be discussed for it’s only a matter of time before some sicko thinks that “it would be fun” to hurt innocent people.

Shane November 6, 2023 8:39 PM

@Clive
“In fact for quite a bit of “hacking” you actually don’t need anything more than a Smart Watch and an App as the RF interfaces you most likely will need come “built right in” on a “System On a Chip”(SoC) microcontroller device. As the WiFi, BlueTooth, NFC, etc “Over The Air”(OTA) / wireless interfaces are not just now standard but as ubiquitous as ketchup these days, especially in IoT devices.”

This is exactly the argument I was making. There are more capable devices, like a cell phone, which have more computing power, more radios, and don’t stand out as some weird techy gadget like a flipper with the expansion boards would.

@DarkCity – The real question should be “Why are medical device manufacturers leaving their devices vulnerable to attacks from a $200 toy?” Hopefully the Flipper just serves as a bit of extra motivation for companies to look at all of the various RF technologies they are using and make sure they are implemented in a secure fashion. Think of it as real world bug hunting.

Clive Robinson November 6, 2023 9:59 PM

@ DarkCity on a Hill, Shane, ALL,

Re : Open skys alow for tempests.

“Many people wearing them are controlling them through their smartphones so how does one go about protecting himself from sudden volume increase in hearing aids to the max”

I’n guessing you are a bit of a new reader here. As @Shane has pointed out,

“Why are medical device manufacturers leaving their devices vulnerable to attacks from a $200 toy?”

Medical devices are of great concern to me and have been for many years. In part because they use ubiquitous interfaces and plaintext signalling (the US Medtronic being but one of many offending companies). But also because they often have no audit logging on the control interface.

Thus consider one of many types of implanted medical devices that could induce VF or other arrhythmias in your heart… VF medically is one of the biggest “just dropped dead for no apparent reason” causes of terminal “Sudden Death Syndrome”(SDS),

https://www.healthline.com/health/sudden-death-syndrome

Back in the days of the George W Bush administration one of his side kicks, learned two decades ago or more about this particular security risk probably from a Secret Service briefing (they take these matters ‘to heart’ as it were)… The result he insisted on having any radio interface disabled when he had a box dropped in his chest…

“Former Vice President Dick Cheney came clean in an interview to CBS’ “60 Minutes,” revealing that when he had a device implanted to regulate his heartbeat in 2007, he had his doctors disable its wireless capabilities to prevent against a possible assassination attempt.”

https://abcnews.go.com/US/vice-president-dick-cheney-feared-pacemaker-hacking/story?id=20621434

I’ve previously given reasons why security is avoided in implanted medical devices but it’s an issue that is not going to go away untill NIST pulls it’s proverbial “thumb out” of it’s… Because the FDA run and controled as it is by “industry interests” are not going to talk about it, let alone do anything about it, unless there is an undeniable case of remote assassination by implant, and the MSM take up the case voluably. Which history shows is very unlikely to happen without a recorded audit trail of the control interface, which of course is not kept…

Leave a comment

Login

Allowed HTML <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre> Markdown Extra syntax via https://michelf.ca/projects/php-markdown/extra/

Sidebar photo of Bruce Schneier by Joe MacInnis.