Spoof iOS devices with Bluetooth pairing messages using Android

by Prapattimynk, Thursday, 7 September 2023 (9 months ago)
Spoof iOS devices with Bluetooth pairing messages using Android


Maybe you have heard about this year’s Defcon unwanted persistent pop-up pairing messages that were received by many attendees to pair their iPhone with nearby Apple TV or other gadget via Bluetooth. In this blog we will demonstrate how to send these pop-ups to nearby iPhone devices from Android smartphone. This is possible thanks to AppleJuice tool that is intended for Linux devices and was successfully tested on laptop and Raspberry Pi 3B+. Because of that, we can install and use it on Android as well. The spoofing can be performed even using built-in Bluetooth chip. If you are interested on how to use Bluetooth tools on Android running NetHunter, stay tuned for upcoming blog post that will focus on Bluetooth Arsenal.

Disclaimer: The information provided in this blog post is intended for educational and informational purposes only. It is not intended to encourage or promote any illegal or unethical activities, including hacking, cyberattacks, or any form of unauthorized access to computer systems, networks, or data.

Requirements

We need rooted Android device with installed NetHunter’s custom kernel or any other kernel that will support either internal Bluetooth chip or any external Bluetooth adapter. In case of external Bluetooth dongle, it is necessary to have OTG adapter to connect it to your smartphone. And don’t forget about targeted iPhone.

In my case I will use OnePlus 7T Pro with internal chipset and external Bluetooth adapter.

How it works

Bluetooth Low Energy (BLE) pairing on an Apple device uses Advertisement (ADV) packets and follows a specific process to establish a secure connection between two devices. Here’s an overview of how this process works:

  •     Advertising: Gadget device such as AirTags, AirPods, Apple TV etc. advertises itself by broadcasting ADV packets. These packets contain essential information about them like name, services, and an ID.
  •     Scanning: iPhone scans for nearby BLE devices by listening for ADV packets. When it detects an ADV packet from such devices, it collects the information and display a notification.
  •     Establishing a Connection: Once the iPhone decides to connect to the gadget (e.g., the user selects a device to pair with), it sends a connection request. This establishes a secure and encrypted connection between the two devices.

That was standard process of pairing devices. However, the problem is that any Apple device in surrounding area receives such pairing notification. Because of that, we can emulate our Android device to send these pairing messages and make iOS devices in vicinity believe we are for example AirPods. As a result, this could be considered as local Denial of Service (DoS) attack.

Installation

We will start with installation process of AppleJuice, then enable our Bluetooth device and test the tool.

Let follow installation process, available on GitHub.

Open NetHunter Terminal app and clone the project:

git clone https://github.com/ECTO-1A/AppleJuice.git && cd ./AppleJuice

Install necessary dependencies:

sudo apt update && sudo apt install -y bluez libpcap-dev libev-dev libnl-3-dev libnl-genl-3-dev libnl-route-3-dev cmake libbluetooth-dev

Install pybluez and pycrypto:

pip3 install git+https://github.com/pybluez/pybluez.git#egg=pybluez

pip3 install pycryptodome

Install AppleJuice requirements:

pip3 install -r requirements.txt

Installation should be successfully done. Now we need to enable our Bluetooth device. Open NetHunter app, go to Bluetooth Arsenal and START Bluebinder, Dbus Services, Bluetooth Service and Interface. In case interface was not initialized correctly, tap on the three dots menu in top right corner and make sure to start Update and then Setup.

Figure 1. Enable Bluetooth interface via Bluetooth Arsenal

To make sure your adapter is detected, use hcitool to list available adapters from NetHunter Terminal app using command:

hcitool dev             

As a result, two devices have been detected, internal (hci0) and external (hci1) adapters, see Figure 2.

Figure 2. List of connected Bluetooth adapters

If you are using internal adapter, then you should work with hci0 interface. If you have external adapter, hci1 is the one you need to work with. AppleJuice by default uses hci0 interface. If you want to change it, you need to edit app.py script and assign the correct interface (1) to dev_id variable as visible on Figure 3.

Figure 3. Changing default number for hci device

Go back to AppleJuice directory and give executable permission to app.py script:

chmod +x app.py

Usage

Run the script to list available devices that you can spoof using:

python3 app.py

Figure 4. List of devices to spoof

To select one of the option, use -d argument with the number of assigned gadget. In command below I will spoof AirPods using value 1.

python3 app.py -d 1

As a result, any iPhone or iPad with enabled Bluetooth in your vicinity receives a pairing request, as you can see in Figure 5. When you click on Connect, no further action follows, which means there is no harm for a iOS devices.

Figure 5. Spoofing AirPods on an iPhone

On top of that, I have created a quick python script that will circle every 5 seconds through all available devices to make nearby iOS devices confused. You could see the demonstration video in the beginning of the blog. The script is available on the GitHub.

Prevention

There isn’t much you can do about the advertisement protocol that is by default enabled, so the only thing you can do is disable Bluetooth when you don’t need it.

Conclusion

During my tests, I couldn’t spoof all devices from the list, or maybe there were some bugs. When I decided to send pairing message for another device, targeted iPhone still received request from previously selected device. However, this is not a big issue. These notifications are displayed even on locked screen.

Internal Bluetooth chips have some rage limits, so using an external adapter even with external and removable antenna might achieve even better pop-up area coverage.

As a result, sending these requests makes no harm to iOS devices, but they might get easily annoyed, since we can consider it to be a local Denial of Service (DoS) attack.

If you are a Flipper Zero fan, you can also test this prank by following Annoying Apple Fans: The Flipper Zero Bluetooth Prank Revealed tutorial.



Comments

Your email address will not be published. Required fields are marked *

Ads Blocker Image Powered by Code Help Pro

AdBlocker Detected!!!

We have detected that you are using extensions to block ads. Please support us by disabling these ads blocker.