This tiny device is sending updated iPhones into a never-ending DoS loop

November 4, 2023:

A fully updated iPhone (left) after being force crashed by a Flipper Zero (right).
Enlarge / A fully updated iPhone (left) after being force crashed by a Flipper Zero (right).

Jeroen van der Ham

One morning two weeks ago, security researcher Jeroen van der Ham was traveling by train in the Netherlands when his iPhone suddenly displayed a series of pop-up windows that made it nearly impossible to use his device.

“My phone was getting these popups every few minutes and then my phone would reboot,” he wrote to Ars in an online interview. “I tried putting it in lock down mode, but it didn’t help.”

To van der Ham’s surprise and chagrin, the same debilitating stream of pop-ups hit again on the afternoon commute home, not just against his iPhone but the iPhones of other passengers in the same train car. He then noticed that one of the same passengers nearby had also been present that morning. Van der Ham put two and two together and fingered the passenger as the culprit.

“He was blithely working on some kind of app on his Macbook, had his iPhone out himself, connected through USB so he could still work while all around him apple devices were rebooting and he was not even paying attention to what was happening,” he said. “Your phone becomes almost unusable. You can still do stuff in between for a couple of minutes, so it’s really annoying to experience. Even as a security researcher who had heard about this attack, it’s really hard to realize that that is what’s going on.”

“The jig is up”

The culprit, it turned out, was using a Flipper Zero device to send Bluetooth pairing requests to all iPhones within radio range. This slim, lightweight device has been available since 2020, but in recent months, it has become much more visible. It acts as a Swiss Army knife for all kinds of wireless communications. It can interact with radio signals, including RFID, NFC, Bluetooth, Wi-Fi, or standard radio. People can use it to covertly change the channels of a TV at a bar, clone some hotel key cards, read the RFID chip implanted in pets, open and close some garage doors, and disrupt the normal use of iPhones.

These types of hacks have been possible for decades, but they require special equipment and a fair amount of expertise. The capabilities generally required expensive SDRs—short for software-defined radios—that, unlike traditional hardware-defined radios, use firmware and processors to digitally re-create radio signal transmissions and receptions. The $200 Flipper Zero isn’t an SDR in its own right, but as a software-controlled radio, it can do many of the same things at an affordable price and with a form factor that’s much more convenient than the previous generations of SDRs.

“The jig is up: software radios have made previously inaccessible attacks available to many more people than before, and work on them will continue,” Dan Guido, CEO of security firm Trail of Bits, wrote in an interview. “People who are casually interested in technology can now easily clone most hotel or office keycards. They don’t need any knowledge of signals or have to mess with open source code or Linux. [It] definitely democratizes some formerly complex RF [radio frequency] hacking into the hands of mere mortals.”

The Flipper Zero manufacturer bills the device as a “portable multi-tool for pentesters and geeks” that’s suitable for hacking radio protocols and building access control systems, troubleshooting hardware, cloning electronic key cards and RFID cards, and for use as a universal TV remote. Its open source design allows users to flash the device with custom firmware to take on new capabilities.

Some of the specs for the device include:

  • 1.4-inch monochrome LCD display
  • GPIO pins for connecting external hardware that greatly expands its capabilities
  • USB-C port for power and firmware updating
  • micro SD card slot
  • Infrared transceiver
  • Sub-1 GHz antenna
  • TI CC1101 chip
  • 1-Wire pogo pin for reading contact keys
  • 2000 mAh battery
  • Low power MCU
  • ARM Cortex-M4 32-bit 64 MHz (application processor)
  • ARM Cortex-M0+ 32-bit 32 MHz (radio processor)
Top view of the Flipper Zero.
Enlarge / Top view of the Flipper Zero.
Bottom and rear view of the Flipper Zero.
Enlarge / Bottom and rear view of the Flipper Zero.

flipperzero.one

“The idea of Flipper Zero is to combine all the hardware tools you’d need for exploration and development on the go,” the manufacturer wrote. “Flipper was inspired by pwnagotchi project, but unlike other DIY boards, Flipper is designed with the convenience of everyday usage in mind—it has a robust case, handy buttons, and shape, so there are no dirty PCBs or scratchy pins.”

Source link