Flipper Zero can be used to crash iPhones running iOS 17
zdnet.comI mentioned this in the past -- that apparently Apple puts more effort in authenticating replacement parts for the iPhone than it does for authenticating wireless devices which pretend to be an Apple device.
You know that authenticating something is a very simple and self contained operation right? Like it’s not hard to do it without memory safety issues. The overwhelming majority of attacks on cryptography are poor protocols, not anything else.
Parsing arbitrary attacker provided data on the other hand is hard. I would guess the there’s an incorrect assumption that Bluetooth (and similar) radios are legitimate fcc approved hardware that isn’t actively malicious. I would suspect that if people put any thought into it they could do similar to any other Bluetooth device.
From the perspective of profit incentives, this makes perfect sense
That's fine. I'm more concerned that the (replacement) hardware on my own device is not malicious, than I am with the hardware on other devices that are already outside my control. My trust model doesn't include them to begin with. And to the extent that my OS trusts those devices, at least any bugfixes can be pushed via software update.
As the article notes, there is a simple way to stop this attack, which is to disable bluetooth. I already do that by default.
> That's fine. I'm more concerned that the (replacement) hardware on my own device is not malicious, than I am with the hardware on other devices that are already outside my control.
You are more concerned with someone opening your iPhone and putting a replacement malicious part than with someone pwning your iPhone with a $5 wireless device while in his car just driving by ?
Your threat model is upside down.
I would be very concerned with someone pwning my phone with a $5 wireless device, but that's not what's happening here. This is a DoS attack. It could never be perfectly mitigated, as long as any mitigation depends on the (arguably) fundamentally impossible task of verifying an external device is a "real" Apple device. It's possible to design security protocols that allow me to verify my device is a real Apple device, but likely not to verify a packet was sent by someone else's "real" Apple device. So I'm less concerned about the latter.
Also note that I specified I'm more concerned with verification of trusted hardware on my own device. Because the repercussions of malicious hardware implanted in my own device cannot be mitigated purely in software. Whereas verifying the integrity of an external device inherently depends solely on software, since there is no hardware interaction. I'm still concerned about it, in the sense that I'd like my OS to take best efforts to only "trust" external devices insofar as it can verify they're trustable, but I also accept that those devices are outside of my control and so any protocol for trusting them will have holes in it. My main requirement is that I should be able to opt out of the system if possible (by e.g. disabling bluetooth).
> This is a DoS attack. It could never be perfectly mitigated
Bullshit.
Flooding the waves with radio interference (something that Bluetooth is particularly resistant to) would at most "deny service" of another device trying to connect to my iPhone through Bluetooth. It should NOT deny service of the _entire_ iPhone, which is what is discussed here. This is 100% preventable crap.
> the (arguably) fundamentally impossible task of verifying an external device is a "real" Apple device
Bullshit... and egregious considering you apparently think it is doable for replacement parts, but "fundamentally impossible" for networking devices. SSL is about 30 years old by now.
> I'm still concerned about it, in the sense that I'd like my OS to take best efforts to only "trust" external devices insofar as it can verify they're trustable, but I also accept that those devices are outside of my control and so any protocol for trusting them will have holes in it.
Also bullshit. All these holes are because of the proprietary extensions Apple puts on top of Bluetooth, which are exploited to no end. Notice my original post is about Apple not being able to identify when it is a (real vs fake) Apple device that is trying to initiate a connection. The protocol is 100% controlled by Apple.
Normal Bluetooth protocols and devices (which do not identify as Apple devices and are therefore subject to the standard Bluetooth pairing UI) are almost never the problem.
I agree with you, but that doesn't negate what I said about this being correctable in software. Whereas if someone implants a malicious HSM in my iPhone, or a screen that has a secondary chip connected to it recording everything I touch, then that's not correctable in software.
It also does not qualify as "pwning" your device, at least for my interpretation of the word "pwn."
> that doesn't negate what I said about this being correctable in software
“My house is on fire, but that is easily correctable by the fire department using water, a cheap and widely available commodity. The real concern is alien abductions in my neighborhood. We are defenseless against these!”
> It also does not qualify as "pwning" your device, at least for my interpretation of the word "pwn."
Random people on the same train as me being able to crash my phone fits my definition of “pwned”. And so does me having to use wired headphones as a countermeasure.
Your threat model is still ridiculously upside down. You are literally arguing that you are more worried about the possibility that someone subjects you to some type of maid attack (which requires an almost implausible level of dedication) rather than someone with a 5$ atmel chip claiming to be an Apple TV, automatically pairing with your device, and afterwards doing god knows what with it (including leaking more data than _anything you could do_ with a even country-agent level trojanized replacement screen). All from the comfort of their car and with so little targeting they could practically wardrive with it.
I'm assuming I can opt-into the threat, i.e. it's possible for me to disable Bluetooth to remove my exposure to this class of attacks. When I turn on my WiFi I know that I'm subjecting myself to de-auth attacks, for example.
I can't opt out of a hardware attack once a malicious repair shop has replaced a critical module in my phone with their own.
Like I said, I'm more concerned with the latter. It doesn't mean I'm not concerned about attacks from external devices too.
> can't opt out of a hardware attack once a malicious repair shop
So apparently you forever disable Bluetooth out of concern but at the same time think it is unavoidable to leave your iPhone unattended at random repair shops? At least the maid stuff (even if astronaut-level engineering) is remotely plausible.
Since when can de-auth attacks crash devices? That is what’s happening here!
I'm more concerned about my phone being stolen. A DoS because I left my Bluetooth on is annoying. Having my phone stolen and then just letting the thief makes money off that is galling.
I'm more concerned about the ability to own personal property than the slight possibility it might get stolen. Having to spend money to buy a new phone is annoying. "I'm sorry Dave I'm afraid I can't do that" from a device I've purportedly bought is galling.
But your iPhone trusts these devices.
> there is a simple way to stop this attack, which is to disable bluetooth
This doesn't work, I've already tried it with my iPhone and a friend's Flipper.
Interesting. Turning bluetooth off via settings doesn't mitigate it? What about disabling AirDrop and Find My?
I didn't try that, but I doubt it will help either. This is a BLE-based attack, you can't disable BLE.
Really? I always assumed turning off bluetooth would disable BLE too. That's annoying...
I'd be interested to know if disabling Find My will stop the attack. Also Airplane mode (you can enable WiFi while in Airplane mode, I think).
Kudos to the Flipper Zero team for making such a desirable toy. Build a thing, get a couple Wired articles written up about it, make several million dollars.
Do you have the same outlook on Hak5 “tools”?
I feel like you’re giving it an unfair shake. They didn’t just _build a toy_ those of us who originally supported through kickstarter saw a huge chunk of the work that went into building this device, the flipper team (10ish people?) has and continues to overcome so many crazy things (Covid, chips, supply chains, shipping) just to have the flipper device available world wide. The dev/modding community behind it is pretty amazing.
Full disclosure I was a very early backer. I have used my Flipper for fun and business. I can’t think of any other $120 _toy_ I use as much. Maybe I’m biased, and took your comment out of context.
You seem to be interpreting my usage of the word "toy" negatively. I mean no disrespect. I only just missed the Kickstarter. I have one and it's great. I built a keyboard for it on the GPIO and wrote an app. As far as toys go, as an adult, I didn't give up toys, they just got (way) more expensive (like my motorcycle or my friend's Porsche).
It comes with a tamagotchi in the stock firmware so it's hard not seeing it as a device for fun and whimsy aka a toy.
In calling it a toy, I'm saying it's a B2C product, neatly packaged up with few sharp edges. It has an easy to use app. I don't have to dig deep into some cross-compiler setup to build firmware for it. Professional HW dev should be so easy!
My underlying point was that the Wired article and subsequent press has launched the product far further than originally thought.
Why does the word toy connotate so negatively for you?
I'm not OP though:
In some countries for some age-groups it is implied that only children play with toys. Equating the use of it, to be someone who is a child.
While you can't control interpretation of the word, you're now aware of its connotations in certain cultures and how you can be interpreted. The burden of its possible misuse is now on you.
> While you can't control interpretation of the word, you're now aware of its connotations in certain cultures and how you can be interpreted. The burden of its possible misuse is now on you.
What a ridiculous and pedantic take. Language has always been contextual and nuanced. One of those contexts is obviously culture. In situations where clarity is needed, it can be sought.
There is no burden of misuse, much less more than any other word in english.
I read your post as agreeing with me.
> The burden of its possible misuse is now on you.
What does this mean? It sounds quite hostile.
It really is.
Can you mention some legal things you solved with it? Just curious!
I'm not GP but I have used it to debug my car remote. It was unlocking but not locking. Used the Flipper to confirm that the remote wasn't sending anything on lock button presses. Solved it with opening up the key and some cleaning of the PCB. Was very helpful there as it was otherwise quite tricky to work out where the problem was.
Otherwise haven't found any use for it. I wanted to use it to clone my garage remote but couldn't get it to work.
You could have used a SDR for that, which is a fairly interesting piece of kit with - arguably - more wholesome uses than the flipper.
Yeah I guess so. Though it's something I'm not familiar with. And the Flipper was something I had at home already. To be fair until then I couldn't find any use for it.
In my opinion the whole appeal of the Flipper is that it bundles a bunch of radio gadgets and makes them easy to use and accessible. Are there better tools for each job? Definitely! But I presume setting up an SDR would have involved a fair bit more research and work. On the Flipper it took five minutes of trying out the different modes.
Duplicate RFID key for the garbage shelter, because there was only one left when the tenant did not return it after renting it.
After purchasing a new apartment, I almost immediately made a backup of the wireless garage key and the RFID intercom key.
Public nuisance