Spam iOS, Android and Windows with Bluetooth pairing messages using Flipper Zero or Android smartphone

Spam iOS, Android and Windows with Bluetooth pairing messages using Flipper Zero or Android smartphone

Loading

So far, it was possible to spam through proximity paring messages only iOS devices, either using Flipper Zero, Arduino board or any Android as explained in my previous blog here. However, recently developers of Xtreme firmware for Flipper Zero pushed and update of BLE Spam application that besides spamming iPhones can also spam Android and Windows devices. This update is not available in officially released version of Xtreme firmware, however you can download it as dev release. This dev updates are available on XFW Discord or you can download it easily from here.

In this blog I will test it using Flipper Zero against iOS, Android and Windows at once and show you how to send these Bluetooth Low Energy (BLE) spam messages from any Android smartphone and even customize them.

How it works?

Similar technology as uses Apple to pair BLE devices with iPhone or iPad is used by Windows and Android systems. Apple calls it proximity pairing. Windows Swift Pair and Google’s Fast Pair service. All of them works the same. If in the vicinity of a devices is a BLE gadget such as headphones that are ready to pair, they start to broadcast advertising beacons to notify these devices.

If these beacons are intercepted, they could be replayed by other BLE device to spoof the gadget or even advertise custom messages.

Spam iOS, Android, and Windows at once

This is another level; you can locally spam three major operating systems at once using Flipper Zero. It is a local attack, however, based on my tests, for long distance BLE messages it is around 50 meters when targeting iOS and Android. For Windows, the range is less than a meter.

If you want to spam each system separately, you can do so as well. Since iOS is already covered in my previous blog, I will continue with Android a Windows.

Starting with Android, in Flipper go to Apps -> Bluetooth -> BLE Spam and search for Android Device Pair, see Figure 1.

Figure 1. Android Device Pair BLE Spam messages

Once user taps on Start, Flipper starts to send advertisement beacons simulating connection requests from five defined devices such as Bose NC 700, JBL Buds Pro, JBL Live 300TWS, JBL Flip 6, and Pixel Buds. You can see the notifications below. These notifications are displayed only if user has enabled Scan for nearby devices option, which is enabled by default.

Figure 2. Pixel Buds
Figure 3. Bose NC 700 Headphones
Figure 4. JBL LIVE300TWS
Figure 5. JBL LIVE PRO+ TWS
Figure 6. JBL Flip 6

Based on the source code, these notifications are send randomly, so you can’t use only one type. If you would like to use only one, I will show how in Trigger Android and Windows BLE spam from Android section below.

To target Windows, these notifications are displayed if Windows has enabled Show notifications to connect using Swift Pair, which is enabled by default on Windows 10. From BLE Spam menu select Windows Device Found and one of the hard-coded messages will be displayed on the right bottom of Windows machine, see Figure 7.

Figure 7. Predefined message displayed to Windows 10 user

Flipper randomly selects one of the six messages and displayed them to user. Text of messages is below and found in the source code:

  • Assquach💦
  • Flipper 🐬
  • iOS 17 🍎
  • Kink💦
  • 👉👌
  • 🔵🦷

On of the new option in BLE Spam app is Kitchen Sink. This attack randomly triggers popping notifications on iOS, Android and Windows at the same time as you can see in the video below.

Custom spam messages

Thanks to Willy-JL and Spooks4576, it is possible to even send custom notification BLE messages to Android and Windows. To send these messages to Windows machine doesn’t requires any special settings being enabled on the computer, since they are enabled by default. In this case it is notifications using Swift Pairing. However, there is a one time notification to enable or disable showing these notifications, see Figure 8.

Figure 8. One time notification to enable or disable Swift Pair

This popup is displayed only the first when user pairs new BLE device.

If displaying notifications are enabled, we can make and push our own messages. User will define a text, and advertises it. I will explain how, in the section below.

Figure 9. Custom advertisement “Hack the planet” packets

To send custom notifications to Android device, it is necessary to first enable Include debug results from Settings -> Google -> Devices & sharing -> Devices. This is disabled by default.

If you enable it, Flipper Zero using the same option as before – Android Devices Pair – will besides already mentioned five notifications randomly roll through five more, you can see them below.

Can you recognize who is in the last notification? It is Talking Sasquach. This custom pop-up was built specifically for him, since he is cooperating and consulting new BLE Spam features with Spooks4576 developer. If you would like to know more, I advise you to check his recent YouTube video about Flipper Zero Custom BLE Spam for Android & Windows.

Trigger Android and Windows BLE spam from Android

To push these notifications, you don’t need to have Flipper Zero. Android smartphone is enough.

As we were able to port and trigger BLE spam messages from any Android running nRF Connect app for iOS in previous blog, now we will do the same for Android and Windows spam pop-ups.

Let’s start with Windows. In nRF Connect and ADVERTISER tab, you need to create a New advertising packet by tapping on plus symbol in right bottom corner. Click on ADD RECORD, select Manufacturer Data. In the first row enter 0006 and in the second 030008 prefix. After the prefix, enter your notification message in HEX format. See Figure 10. For example, to display Hack the planet, enter value 030008224861636B2074686520706C616E657422. To display custom message, you can use ASCII to HEX convertor.

Figure 10. Advertisement packets for custom Windows message

To impersonate one of five defined devices that would pair with Android, you need to create a new advertising packet and add three records. Starting with Service Data. In the first row define FE2C as UUID which represents Fast Pair service. In the second row, enter HEX value that represents a device to impersonate. The list of five devices is available on Flipper Xtreme Firmware Github and for convenience I copied it below:

  • 0xCD8256, // Bose NC 700
  • 0xF52494, // JBL Buds Pro
  • 0x718FA4, // JBL Live 300TWS
  • 0x821F66, // JBL Flip 6
  • 0x92BBBD, // Pixel Buds
  • 0xAA1FE1, // ClownMaster
  • 0xAA187F, // VBucks
  • 0xF38C02, // Boykisser
  • 0x1448C9, // BLM
  • 0xD5AB33, // Xtreme
  • 0x13B39D, // Talking Sasquach
  • 0x3D45DC, // Mobile Hacker

For the second record, add Tx Power. For the third one select Service UUID. In the edit box input value FE2C. You can see all values in the Figure 11.

Figure 11. Pixel Buds data

In Figure 12. you can see successful demonstration of popping Pixel Buds on a smartphone.

Figure 12. Pixel Buds BLE spam using Android

It is also possible to create custom messages, as visible in the Figure 13. However, I decided not to publish full tutorial since it might be easily missed.

Figure 13. Pushing custom notification to Android devices

Prevention

To prevent these spam messages on iOS, you can only disable Bluetooth when you don’t need it. On Windows it is easier, since you have to disable Swift Pairing notifications in Bluetooth & other devices and disable Show notifications to connect using Swift Pair, as visible in Figure 14.

Figure 14. Disable Swift Pair notifications

Android uses a model where the same device can send only few paring (around five) notifications in a row, and then it will be ignored by the system. If Android users would like to prevent even these notifications, they can disable them in Settings -> Google -> Devices & sharing -> Devices -> Scan for nearby devices as you can see in Figure 15. or by disabling Bluetooth.

Figure 15. Disable notifications from nearby BLE devices

24 thoughts on “Spam iOS, Android and Windows with Bluetooth pairing messages using Flipper Zero or Android smartphone

  1. anon

    how to do with kali linux it

    1. Hello Talking Sasquach! Thanks for letting me know, I updated the blog with this information and included a link to your video. Best!

  2. stocka

    Hello, is it possible to spam multiple times for windows on the same attack ? I need to disable/enable the “packet” on NRFConnect for each “attack”

    1. If you mean to send them in the loop, then I dont think nRF app allows that

  3. Findirfin

    I’d really like to see the kitchen sink attack come to nethunter

    1. I can ping one of NH developers to ask, but it would be necessary to implement the whole BLE advertisement beacons functionality which might take a lot of time.

  4. Anon

    Avoid Rough Master! Skid just ripping code!

  5. MrVoyager

    Like it

  6. Bob Bob

    I’m trying to follow on my Pixel 8 Pro, however in your screenshots it shows the Tx Power as 1dBm, but when I set the packets up they only show as -7 dBm for me – any ideas?

  7. Dominik

    Can i spam iPhone from iphone

    1. Yes, I believe it could be possible.

  8. Pipo

    Why doesn’t it work for me like you, I have installed the nrf application on android but it doesn’t show me the application like you, in the options part it shows me only Connectable and Scannable while when I click the button to release it (Advertisement duration) it does not show me like you do. Do I need to arrange something in advance?

    1. You don’t need to arrange anything in advance. Make sure to download “nRF Connect for Mobile” from Google Play store, since there are more apps with nRF in their app name.

  9. Kristijan

    Guys does anyone know how to set up a custom Android popup? I’m curious on how it’s supposed to work. I have a private account on Google with all my data, I won’t do shit.

  10. raju

    how to send custom messages i tried to convert a image to hex but not possible

  11. Simon

    Hi first of all, thanks for this article ! Inspired by your Guide i created an Android App to play around with that stuff. Currently it supports the Google Fast Pairing (Android Nearby) Popups by just clicking one Button in the App. I plan to take a look at iOs and Windows Spoofing next. Maybe some people are interested in it:

    https://github.com/simondankelmann/Bluetooth-LE-Spam

    1. Thanks for sharing and creating the app! I already tested it and it works really well. Great job. I guess the next thing is to update it with the Kitchen Sink 🙂

      1. Simon

        Yes Kitchen Sink is one thing on my mind. also the iOS spam

        Thanks for your tweet 🙂

  12. ROCH

    Hey can you teach how to do Custom Messages Via Nrf Connect App?

    1. Hi! Great project, I haven’t seen anyone porting Fast Pairing into esp32 yet. By any chance, do you also have a .ino sketch since it is more convenient? Thanks

Leave a Reply

Your email address will not be published. Required fields are marked *