Bluetooth Low Energy denial of service attacks explained

The Bluetooth Low Energy denial of service attacks are a series of denial-of-service attacks against mobile phones and iPads via Bluetooth Low Energy that can make it difficult to use them.^[1]

iPhone and iPad attacks

DEFCON proof of concept attack

At DEF CON 31 in 2023, a demonstration was given using equipment made with a Raspberry Pi, a Bluetooth adapter and a couple of antennas.^[1] This attack used Bluetooth advertising packets, hence did not require pairing.^[1] The demonstration version claimed to be an Apple TV and affected iOS 16.^[1]

Flipper Zero attack

This attack also uses Bluetooth advertising packets to repeatedly send notification signals to iPhones and iPads running iOS 17. It uses a Flipper Zero running third-party Xtreme firmware. It functions even when the device is in airplane mode, and can only be avoided by disabling Bluetooth from the device's Settings app.^{[1] [2]}

The attack can cause the device to crash.^[3] It also affects iOS 17.1.^[4]

The release of iOS 17.2 made devices more resistant to the attack, reducing the flood of popup messages.^[5]

An app to perform these attacks was written for Android.^[6]

Interference with a medical device

An attendee of Midwest FurFest 2023 tweeted that the Android device they used to control their insulin pump had been crashed by a BLE attack and that if they hadn't been able to fix it they would have had to go to a hospital.^[6]

Wall of Flippers

The Wall of Flippers project has written a Python script that can scan for BTLE attacks.^[6] It can run on Linux or Microsoft Windows.^[6]

Android attack

The Flipper Zero version of the attack has been adapted to attack Android and Microsoft Windows systems.^{[7] [2]}

Notes and References

1. News: New iPhone iOS 16 Bluetooth Hack Attack—How To Stop It . Winder . Davey . 2023-09-06 . 2023-11-13 . Forbes.
2. News: Goodin . Dan . 2023-11-02 . This tiny device is sending updated iPhones into a never-ending DoS loop . 2023-11-13 . Ars Technica.
3. News: Flipper Zero can be used to crash iPhones running iOS 17, but there's a way to foil the attack . Kingsley-Hughes . Adrian . 2023-10-16 . ZDNET.
4. News: iOS 17.1 update still no defense against Flipper Zero iPhone crashes . Kingsley-Hughes . Adrian . 2023-10-30 . ZDNET.
5. News: iOS 17.2 update puts an end to Flipper Zero's iPhone shenanigans . Kingsley-Hughes . Adrian . 2023-12-15 . 2023-12-16 . ZDnet.
6. News: 'Wall of Flippers' detects Flipper Zero Bluetooth spam attacks . Toulas . Bill . 2023-12-23 . 2024-01-05 . Bleeping Computer.
7. News: Now Android and Windows devices aren't safe from Flipper Zero either . Kingsley-Williams . Adrian . 2023-10-24 . ZDNET.