Spam iOS, Android and Windows with Bluetooth pairing messages using Flipper Zero or Android smartphone

by Prapattimynk, Tuesday, 17 October 2023 (4 months ago)
Spam iOS, Android and Windows with Bluetooth pairing messages using Flipper Zero or Android smartphone


So far, it was possible to spam through proximity paring messages only iOS devices, either using Flipper Zero, Arduino board or any Android as explained in my previous blog here. However, recently developers of Xtreme firmware for Flipper Zero pushed and update of BLE Spam application that besides spamming iPhones can also spam Android and Windows devices. This update is not available in officially released version of Xtreme firmware, however you can download it as dev release. This dev updates are available on XFW Discord or you can download it easily from here.

In this blog I will test it using Flipper Zero against iOS, Android and Windows at once and show you how to send these Bluetooth Low Energy (BLE) spam messages from any Android smartphone and even customize them.

How it works?

Similar technology as uses Apple to pair BLE devices with iPhone or iPad is used by Windows and Android systems. Apple calls it proximity pairing. Windows Swift Pair and Google’s Fast Pair service. All of them works the same. If in the vicinity of a devices is a BLE gadget such as headphones that are ready to pair, they start to broadcast advertising beacons to notify these devices.

If these beacons are intercepted, they could be replayed by other BLE device to spoof the gadget or even advertise custom messages.

Spam iOS, Android, and Windows at once

This is another level; you can locally spam three major operating systems at once using Flipper Zero. It is a local attack, however, based on my tests, for long distance BLE messages it is around 50 meters when targeting iOS and Android. For Windows, the range is less than a meter.

If you want to spam each system separately, you can do so as well. Since iOS is already covered in my previous blog, I will continue with Android a Windows.

Starting with Android, in Flipper go to Apps -> Bluetooth -> BLE Spam and search for Android Device Pair, see Figure 1.

Figure 1. Android Device Pair BLE Spam messages

Once user taps on Start, Flipper starts to send advertisement beacons simulating connection requests from five defined devices such as Bose NC 700, JBL Buds Pro, JBL Live 300TWS, JBL Flip 6, and Pixel Buds. You can see the notifications below. These notifications are displayed only if user has enabled Scan for nearby devices option, which is enabled by default.

Figure 2. Pixel Buds
Figure 3. Bose NC 700 Headphones
Figure 4. JBL LIVE300TWS
Figure 5. JBL LIVE PRO+ TWS
Figure 6. JBL Flip 6

Based on the source code, these notifications are send randomly, so you can’t use only one type. If you would like to use only one, I will show how in Trigger Android and Windows BLE spam from Android section below.

To target Windows, these notifications are displayed if Windows has enabled Show notifications to connect using Swift Pair, which is enabled by default on Windows 10. From BLE Spam menu select Windows Device Found and one of the hard-coded messages will be displayed on the right bottom of Windows machine, see Figure 7.

Figure 7. Predefined message displayed to Windows 10 user

Flipper randomly selects one of the six messages and displayed them to user. Text of messages is below and found in the source code:

  • Assquach💦
  • Flipper 🐬
  • iOS 17 🍎
  • Kink💦
  • 👉👌
  • 🔵🦷

On of the new option in BLE Spam app is Kitchen Sink. This attack randomly triggers popping notifications on iOS, Android and Windows at the same time as you can see in the video below.

Custom spam messages

Thanks to Willy-JL and Spooks4576, it is possible to even send custom notification BLE messages to Android and Windows. To send these messages to Windows machine doesn’t requires any special settings being enabled on the computer, since they are enabled by default. In this case it is notifications using Swift Pairing. However, there is a one time notification to enable or disable showing these notifications, see Figure 8.

Figure 8. One time notification to enable or disable Swift Pair

This popup is displayed only the first when user pairs new BLE device.

If displaying notifications are enabled, we can make and push our own messages. User will define a text, and advertises it. I will explain how, in the section below.

Figure 9. Custom advertisement “Hack the planet” packets

To send custom notifications to Android device, it is necessary to first enable Include debug results from Settings -> Google -> Devices & sharing -> Devices. This is disabled by default.

If you enable it, Flipper Zero using the same option as before – Android Devices Pair – will besides already mentioned five notifications randomly roll through five more, you can see them below.

Trigger Android and Windows BLE spam from Android

To push these notifications, you don’t need to have Flipper Zero. Android smartphone is enough.

As we were able to port and trigger BLE spam messages from any Android running nRF Connect app for iOS in previous blog, now we will do the same for Android and Windows spam pop-ups.

Let’s start with Windows. In nRF Connect and ADVERTISER tab, you need to create a New advertising packet by tapping on plus symbol in right bottom corner. Click on ADD RECORD, select Manufacturer Data. In the first row enter 0006 and in the second 030008 prefix. After the prefix, enter your notification message in HEX format. See Figure 10. For example, to display Hack the planet, enter value 030008224861636B2074686520706C616E657422. To display custom message, you can use ASCII to HEX convertor.

Figure 10. Advertisement packets for custom Windows message

To impersonate one of five defined devices that would pair with Android, you need to create a new advertising packet and add three records. Starting with Service Data. In the first row define FE2C as UUID which represents Fast Pair service. In the second row, enter HEX value that represents a device to impersonate. The list of five devices is available on Flipper Xtreme Firmware Github and for convenience I copied it below:

  • 0xCD8256, // Bose NC 700
  • 0xF52494, // JBL Buds Pro
  • 0x718FA4, // JBL Live 300TWS
  • 0x821F66, // JBL Flip 6
  • 0x92BBBD, // Pixel Buds
  • 0xAA1FE1, // ClownMaster
  • 0xAA187F, // VBucks
  • 0xF38C02, // Boykisser
  • 0x1448C9, // BLM
  • 0xD5AB33, // Xtreme
  • 0x13B39D, // Talking Sasquach
  • 0x3D45DC, // Mobile Hacker

For the second record, add Tx Power. For the third one select Service UUID. In the edit box input value FE2C. You can see all values in the Figure 11.

Figure 11. Pixel Buds data

In Figure 12. you can see successful demonstration of popping Pixel Buds on a smartphone.

Figure 12. Pixel Buds BLE spam using Android

It is also possible to create custom messages, as visible in the Figure 13. However, I decided not to publish full tutorial since it might be easily missed.

Figure 13. Pushing custom notification to Android devices

Prevention

To prevent these spam messages on iOS, you can only disable Bluetooth when you don’t need it. On Windows it is easier, since you have to disable Swift Pairing notifications in Bluetooth & other devices and disable Show notifications to connect using Swift Pair, as visible in Figure 14.

Figure 14. Disable Swift Pair notifications

Android uses a model where the same device can send only few paring (around five) notifications in a row, and then it will be ignored by the system. If Android users would like to prevent even these notifications, they can disable them in Settings -> Google -> Devices & sharing -> Devices -> Scan for nearby devices as you can see in Figure 15. or by disabling Bluetooth.

Figure 15. Disable notifications from nearby BLE devices



Comments

Your email address will not be published. Required fields are marked *

Ads Blocker Image Powered by Code Help Pro

AdBlocker Detected!!!

We have detected that you are using extensions to block ads. Please support us by disabling these ads blocker.