Why is this a thing?
Which one: the Flipper Zero, or the bluetooth spamming function?
Flipper Zero is a thing because it’s a very capable device for hackers and tinkerers. It can be used as an intro to coding and pen-testing.
The bluetooth spam is a thing because some dev is an asshole.
What does the ven diagram of devs and assholes look like, I wonder?
Normal devs? Probably, like another commenter said, like anywhere else.
Flipper script writers? Probably a slightly higher ratio.
deleted by creator
Lol
Probably the exact same ratio as any other profession.
Because operating systems are rather naive when it comes to responding to wireless signals. There was an earlier module that would spam iCloud popups and WiFi popups for iOS, and you can open Tesla charging port covers with this thing as well.
When operating systems find a new device in setup mode, they assume you want to connect to it, because that makes setup so easy. It’s how you can “magically” pair headphones you just unboxed with just one button. Great idea, but anyone can send those kinds of packets, including smartphone apps on some platform.
Barring that, you can also use it to automate someone hitting “connect” on a known device a million times, causing constant popups asking whether to trust device X. You don’t need a flipper to do this either.
In a quest to make Bluetooth easier and more magical, OS developers have ignored the possibility that someone is being a nuisance, and now people are upset that someone can spam them. For Apple and their proprietary stuff there’s a way to partially mitigate this (sign and verify device requests for a GUI popup, maybe add a silent notification for other vendors or add their secure chain to the list) which will work until someone extracts their key from their device. For Google and Microsoft, that’ll be harder to accomplish, and the disruptiveness of the UI has to be reduced to mitigate this.
In practice, though, I don’t think this is that much of a problem. There aren’t that many trolls out there in the physical world. You can do way worse than this with a laptop and some quickly thrown together Python code, like extracting the WiFi details from active scan packets phones just send out, geolocating that using public databases, and sending a single pair request stating “I know you live at X street”; people will find that scary rather than annoying.
You don’t need a laptop to do that, there’s a WiFi Dev Board for the Flipper.
I wonder if I could get work to buy me one and claim that I’ll use it for pen testing.
My coworkers would 100% definitely plug it in if they saw it lying around just to see what it was. They’re real bad.
You should probably keep your wifi and bluetooth set to switch off automatically anyway, what with how much they’re used for tracking.
I don’t know if turning off Bluetooth protects against flipper attacks, but unless something has changed, it (sadly) doesn’t preserve your privacy.
It’s not really documented, as far as I can tell, but Bluetooth low energy stays on, even when you toggle Bluetooth off for both iOS and Android. As of iOS 15, even turning off iPhones means the phone is still trackable. (Unsure about Android on that front.) Apple’s ‘Find my’ network uses Bluetooth low energy, same as Bluetooth beacons.
That sounds like disabling Bluetooth on iphones doesn’t disable Bluetooth LE. Sucks for iPhone users.
I mean, it sucks for everyone that can’t or don’t want to run homebrew OS’s.
The “One” link I shared above indicates the behavior became standard in Android 8 and iOS 11. They were released in August and September 2017, respectively.
Yeah I’d like to think AOSP doesn’t have that flaw.
Modern operating systems have mitigations for this built in, using random MAC addresses for most scanning and connectivity…
…until you connect it to something, then it switches to a permanent MAC address. All of those privacy features disappear when you hook up a smart watch or headphones.
So you can keep your Bluetooth and WiFi on just fine, as long as you don’t connect them to anything while you’re on the move. For WiFi you can even enable random MAC addresses for specific WiFi networks to keep tracking jn public down.
Where I live, this type of tracking is simply illegal (long live the GDPR!) and that stops most tracking in practice. The only tracking I’ve come across were for a university research project and a city project that was shot down and turned into a big fine.
Tracking my HR and steps via smartwatch!
Keep your BT off unless actively using it?
Looks like that’s an ineffective approach.
I commented elsewhere with an explanation and a bit of speculation. I did later confirm that even ‘disabling’ Bluetooth doesn’t stop the attack.
The attack method works even when Bluetooth has been disabled using airplane mode from the control panel, which may surprise you. In which case, you’ll be shocked to discover that disabling Bluetooth this way, erm, doesn’t. Instead, you’d need to disable it directly from your device settings or run your iPhone in Lockdown Mode to prevent these advertising pop-ups from being received.
SourceAssuming similar on Android, it’s possible, but not that easy toggle everyone knows about.
Correct both android and iOS don’t disable it unless manually done in BT settings.
As you walk around your BT gets tagged and they sell your data.
Think of a setting like a mall ;)
I almost always use it. For my smart band, PC notifications, wireless Android auto…
Well that’s a security vulnerability tbh
Ok, well I’m not going to stop using my fitness band or Android auto because I’m a paranoid person. Might as well never leave your home and never use any devices connected to the internet.
Did somebody say you should?
DId somEbOdy SaY yOu sHouLd?
If you’re not implying that, then your reply was pointless.
deleted by creator
Right but your arguement of “well turn it off then” doesn’t work. Because people need it to be on because they use it because it’s a useful technology.
I want to keep it, otherwise all of my everyday devices become paperweights. Thanks.
Show us on the doll where the bad comment hurt you, boy.
What was the point of your comment then if not a veiled suggestion to turn it off?
More importantly, flipper Xtreme has a miku asset pack
