So far, it was possible to spam through proximity paring messages only iOS devices, either using Flipper Zero, Arduino board or any Android as explained in my previous blog here. However, recently developers of Xtreme firmware for Flipper Zero pushed and update of BLE Spam application that besides spamming iPhones can also spam Android and Windows devices. This update is not available in officially released version of Xtreme firmware, however you can download it as dev release. This dev updates are available on XFW Discord or you can download it easily from here.
In this blog I will test it using Flipper Zero against iOS, Android and Windows at once and show you how to send these Bluetooth Low Energy (BLE) spam messages from any Android smartphone and even customize them.
How it works?
Similar technology as uses Apple to pair BLE devices with iPhone or iPad is used by Windows and Android systems. Apple calls it proximity pairing. Windows Swift Pair and Google’s Fast Pair service. All of them works the same. If in the vicinity of a devices is a BLE gadget such as headphones that are ready to pair, they start to broadcast advertising beacons to notify these devices.
If these beacons are intercepted, they could be replayed by other BLE device to spoof the gadget or even advertise custom messages.
Spam iOS, Android, and Windows at once
This is another level; you can locally spam three major operating systems at once using Flipper Zero. It is a local attack, however, based on my tests, for long distance BLE messages it is around 50 meters when targeting iOS and Android. For Windows, the range is less than a meter.
If you want to spam each system separately, you can do so as well. Since iOS is already covered in my previous blog, I will continue with Android a Windows.
Starting with Android, in Flipper go to
BLE Spam and search for
Android Device Pair, see Figure 1.
Once user taps on
Start, Flipper starts to send advertisement beacons simulating connection requests from five defined devices such as Bose NC 700, JBL Buds Pro, JBL Live 300TWS, JBL Flip 6, and Pixel Buds. You can see the notifications below. These notifications are displayed only if user has enabled
Scan for nearby devices option, which is enabled by default.
Based on the source code, these notifications are send randomly, so you can’t use only one type. If you would like to use only one, I will show how in Trigger Android and Windows BLE spam from Android section below.
To target Windows, these notifications are displayed if Windows has enabled S
how notifications to connect using Swift Pair, which is enabled by default on Windows 10. From
BLE Spam menu select
Windows Device Found and one of the hard-coded messages will be displayed on the right bottom of Windows machine, see Figure 7.
Flipper randomly selects one of the six messages and displayed them to user. Text of messages is below and found in the source code:
- Flipper 🐬
- iOS 17 🍎
On of the new option in BLE Spam app is
Kitchen Sink. This attack randomly triggers popping notifications on iOS, Android and Windows at the same time as you can see in the video below.
Custom spam messages
Thanks to Willy-JL and Spooks4576, it is possible to even send custom notification BLE messages to Android and Windows. To send these messages to Windows machine doesn’t requires any special settings being enabled on the computer, since they are enabled by default. In this case it is notifications using Swift Pairing. However, there is a one time notification to enable or disable showing these notifications, see Figure 8.
This popup is displayed only the first when user pairs new BLE device.
If displaying notifications are enabled, we can make and push our own messages. User will define a text, and advertises it. I will explain how, in the section below.
To send custom notifications to Android device, it is necessary to first enable
Devices & sharing ->
Devices. This is disabled by default.
If you enable it, Flipper Zero using the same option as before –
Android Devices Pair – will besides already mentioned five notifications randomly roll through five more, you can see them below.
Can you recognize who is in the last notification? It is Talking Sasquach. This custom pop-up was built specifically for him, since he is cooperating and consulting new BLE Spam features with Spooks4576 developer. If you would like to know more, I advise you to check his recent YouTube video about Flipper Zero Custom BLE Spam for Android & Windows.
Trigger Android and Windows BLE spam from Android
To push these notifications, you don’t need to have Flipper Zero. Android smartphone is enough.
Let’s start with Windows. In nRF Connect and
ADVERTISER tab, you need to create a
New advertising packet by tapping on plus symbol in right bottom corner. Click on
ADD RECORD, select
Manufacturer Data. In the first row enter
0006 and in the second
030008 prefix. After the prefix, enter your notification message in HEX format. See Figure 10. For example, to display
Hack the planet, enter value
030008224861636B2074686520706C616E657422. To display custom message, you can use ASCII to HEX convertor.
To impersonate one of five defined devices that would pair with Android, you need to create a new advertising packet and add three records. Starting with
Service Data. In the first row define
FE2C as UUID which represents Fast Pair service. In the second row, enter HEX value that represents a device to impersonate. The list of five devices is available on Flipper Xtreme Firmware Github and for convenience I copied it below:
- 0xCD8256, // Bose NC 700
- 0xF52494, // JBL Buds Pro
- 0x718FA4, // JBL Live 300TWS
- 0x821F66, // JBL Flip 6
- 0x92BBBD, // Pixel Buds
- 0xAA1FE1, // ClownMaster
- 0xAA187F, // VBucks
- 0xF38C02, // Boykisser
- 0x1448C9, // BLM
- 0xD5AB33, // Xtreme
- 0x13B39D, // Talking Sasquach
- 0x3D45DC, // Mobile Hacker
For the second record, add
Tx Power. For the third one select
Service UUID. In the edit box input value
FE2C. You can see all values in the Figure 11.
In Figure 12. you can see successful demonstration of popping Pixel Buds on a smartphone.
It is also possible to create custom messages, as visible in the Figure 13. However, I decided not to publish full tutorial since it might be easily missed.
To prevent these spam messages on iOS, you can only disable Bluetooth when you don’t need it. On Windows it is easier, since you have to disable
Swift Pairing notifications in
Bluetooth & other devices and disable
Show notifications to connect using Swift Pair, as visible in Figure 14.
Android uses a model where the same device can send only few paring (around five) notifications in a row, and then it will be ignored by the system. If Android users would like to prevent even these notifications, they can disable them in
Devices & sharing ->
Scan for nearby devices as you can see in Figure 15. or by disabling Bluetooth.