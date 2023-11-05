Millions of iPhone users who have updated to iOS 17 face a potential threat from a widely available “multi-tool device for geeks.” The $169 Flipper Zero can crash an iPhone by flooding it with connection requests. Currently, the only way to prevent an attack is to turn off Bluetooth completely.

CUPERTINO, CALIFORNIA – SEPTEMBER 12: Attendees look at the brand new Apple iPhone 15 during an event , [+] Apple event in Cupertino, California on September 12, 2023. Apple revealed its lineup of latest iPhone 15 editions as well as other product upgrades during the event. (Photo by Justin Sullivan/Getty Images) getty images

First reported by security researcher Jeroen van der Ham, the attack uses Flipper Zero. According to its manufacturer, this software-controlled radio can be used “[hack] Digital goods, such as radio protocols, access control systems, hardware, and more. It is available direct from the manufacturer for $169. Thanks to its open-source design, it can be flashed with custom firmware, opening up many possibilities.

One of these firmware options is Flipper Extreme. A setting allows the Flipper Zero to announce the availability of a Bluetooth Low Energy device close to the iPhone, an annoyance but no more. Another setting—the setting that triggers a denial of service attack—is labeled simply “iOS 17 attack.”

Van der Ham’s experience with the attack can be read on Ars Technica: “Your phone becomes almost useless. You can still work for a few minutes in between, so it’s really annoying to experience this. Even “Even as a security researcher who heard about this attack, it’s really hard to realize that this is what’s happening.”

DoS attacks can also be targeted at Android and Windows devices. However, these can be blocked more easily as both operating systems provide toggles in Settings to turn off notifications for “Fast Pair” (Android) and “Swift Pair” (Windows).

Home page of the Flipper Zero website. flipperzero.one

As the labeling suggests, this iPhone attack appears to be tailored to iOS 17. Van der Ham could not replicate the crash on an iPhone running versions of iOS before iOS 17.

For users who have updated to iOS 17, the attack can be prevented by turning off the iPhone’s Bluetooth in the Settings app – toggling Bluetooth in the Control Center panel is insufficient. Unfortunately, major peripheral devices like the Apple Watch and Air Pods rely on Bluetooth to connect to a user’s iPhone, so this protection may not be practical for many people.

Apple has been contacted for comment. This story will be updated with any response.

