It is possible to spoof pairing notifications even using any non-rooted Android. Thanks to @jiyilide tweet, he shared a way to trigger advertisement beacons using Android nRF Connect for Mobile app that is available on Google Play and allows you to scan and explore Bluetooth Low Energy devices and communicate with them. This means that any Android user running this app can send notification pop-up messages to iOS devices in the vicinity. The only thing that is missing are actual data that needs to be entered to an advertisement packet that would represent device to impersonate. Data to input are available in AppleJuice project in app.py file, see Figure below.
For a full setup guide feel free to check the video below.
This local Denial of Service (DoS) attack can be now triggered even using Flipper Zero device running custom Unleashed dev build firmware (
flipper-z-f7-update-811) that you can download from their Telegram group. The app you can find in
Apple BLE Spam. For some reason, these pairing messages could be received even in Airplane mode where wireless features should be disabled. The reason might be to listen locally stored music via paired Bluetooth headphones while on flight. This wouldn’t be possible without @tech research. You can see video demonstration below:
Maybe you have heard about this year’s Defcon unwanted persistent pop-up pairing messages that were received by many attendees to pair their iPhone with nearby Apple TV or other gadget via Bluetooth. In this blog we will demonstrate how to send these pop-ups to nearby iPhone devices from Android smartphone. This is possible thanks to AppleJuice tool that is intended for Linux devices and was successfully tested on laptop and Raspberry Pi 3B+. Because of that, we can install and use it on Android as well. The spoofing can be performed even using built-in Bluetooth chip. If you are interested on how to use Bluetooth tools on Android running NetHunter, stay tuned for upcoming blog post that will focus on Bluetooth Arsenal.
Disclaimer: The information provided in this blog post is intended for educational and informational purposes only. It is not intended to encourage or promote any illegal or unethical activities, including hacking, cyberattacks, or any form of unauthorized access to computer systems, networks, or data.
We need rooted Android device with installed NetHunter’s custom kernel or any other kernel that will support either internal Bluetooth chip or any external Bluetooth adapter. In case of external Bluetooth dongle, it is necessary to have OTG adapter to connect it to your smartphone. And don’t forget about targeted iPhone.
In my case I will use OnePlus 7T Pro with internal chipset and external Bluetooth adapter.
How it works
Bluetooth Low Energy (BLE) pairing on an Apple device uses Advertisement (ADV) packets and follows a specific process to establish a secure connection between two devices. Here’s an overview of how this process works:
- Advertising: Gadget device such as AirTags, AirPods, Apple TV etc. advertises itself by broadcasting ADV packets. These packets contain essential information about them like name, services, and an ID.
- Scanning: iPhone scans for nearby BLE devices by listening for ADV packets. When it detects an ADV packet from such devices, it collects the information and display a notification.
- Establishing a Connection: Once the iPhone decides to connect to the gadget (e.g., the user selects a device to pair with), it sends a connection request. This establishes a secure and encrypted connection between the two devices.
That was standard process of pairing devices. However, the problem is that any Apple device in surrounding area receives such pairing notification. Because of that, we can emulate our Android device to send these pairing messages and make iOS devices in vicinity believe we are for example AirPods. As a result, this could be considered as local Denial of Service (DoS) attack.
We will start with installation process of AppleJuice, then enable our Bluetooth device and test the tool.
Let follow installation process, available on GitHub.
NetHunter Terminal app and clone the project:
git clone https://github.com/ECTO-1A/AppleJuice.git && cd ./AppleJuice
Install necessary dependencies:
sudo apt update && sudo apt install -y bluez libpcap-dev libev-dev libnl-3-dev libnl-genl-3-dev libnl-route-3-dev cmake libbluetooth-dev
Install pybluez and pycrypto:
pip3 install git+https://github.com/pybluez/pybluez.git#egg=pybluez
pip3 install pycryptodome
Install AppleJuice requirements:
pip3 install -r requirements.txt
Installation should be successfully done. Now we need to enable our Bluetooth device. Open NetHunter app, go to Bluetooth Arsenal and START Bluebinder, Dbus Services, Bluetooth Service and Interface. In case interface was not initialized correctly, tap on the three dots menu in top right corner and make sure to start Update and then Setup.
To make sure your adapter is detected, use
hcitool to list available adapters from
NetHunter Terminal app using command:
As a result, two devices have been detected, internal (
hci0) and external (
hci1) adapters, see Figure 2.
If you are using internal adapter, then you should work with
hci0 interface. If you have external adapter,
hci1 is the one you need to work with. AppleJuice by default uses
hci0 interface. If you want to change it, you need to edit
app.py script and assign the correct interface (1) to
dev_id variable as visible on Figure 3.
Go back to AppleJuice directory and give executable permission to
chmod +x app.py
Run the script to list available devices that you can spoof using:
To select one of the option, use
-d argument with the number of assigned gadget. In command below I will spoof AirPods using value
python3 app.py -d 1
As a result, any iPhone or iPad with enabled Bluetooth in your vicinity receives a pairing request, as you can see in Figure 5. When you click on Connect, no further action follows, which means there is no harm for a iOS devices.
On top of that, I have created a quick python script that will circle every 5 seconds through all available devices to make nearby iOS devices confused. You could see the demonstration video in the beginning of the blog. The script is available on the GitHub.
There isn’t much you can do about the advertisement protocol that is by default enabled, so the only thing you can do is disable Bluetooth when you don’t need it.
During my tests, I couldn’t spoof all devices from the list, or maybe there were some bugs. When I decided to send pairing message for another device, targeted iPhone still received request from previously selected device. However, this is not a big issue. These notifications are displayed even on locked screen.
Internal Bluetooth chips have some rage limits, so using an external adapter even with external and removable antenna might achieve even better pop-up area coverage.
As a result, sending these requests makes no harm to iOS devices, but they might get easily annoyed, since we can consider it to be a local Denial of Service (DoS) attack.
If you are a Flipper Zero fan, you can also test this prank by following Annoying Apple Fans: The Flipper Zero Bluetooth Prank Revealed tutorial.