The technique was first demonstrated by a security researcher against Apple iOS devices, which encouraged others to test its possible effects on other systems.
The underlying idea behind the spam is to send fake advertising packets to devices within range of pairing and connection requests by using Flipper Zero's wireless communication capabilities.
These kinds of spam attacks are challenging for the victims since they cannot be differentiated whether the device is legitimate or fake. Also, spam attacks impact the user experience by constantly displaying notifications and pop-ups on the targeted device.
Xtreme Adds ‘Bluetooth Spam’
Earlier this month, Flipper Xtreme revealed on its Discord channel that “spam attacks” will be included in the upcoming major firmware release.
The Xtreme team also released a demonstration video showing a denial of service (DoS) attack on a Samsung Galaxy mobile, in which the device becomes unusable due to an incessant stream of connection alerts.
While this latest firmware version is not far from reaching a stable status, the “spam attack” has been included in the most recent development build through a new program called 'BLE Spam,' which can be found on GitHub.
A YouTuber called ‘Talking Sasquach,’ after running a trial of the dev firmware image on his Flipper Zero, revealed that the attack functions as anticipated on both Windows and Android.
Currently, the BLE Spam app gives users eight flood attack options, which include:
- Every method combined
- iOS 17 Lockup Crash
- Apple Action Modal
- Apple Device popup
- Android device pair
- Windows Device Found
How to Block These Spam Attacks
These spam attacks create more nuisance to the users, rather than a real threat. Since BLE Spam enables users to create personalized notifications, these spams can become more crafty and cunning, contributing to social engineering and other threat scenarios.
These Flipper Zero attacks may cause issues because Android 14 and Windows 11 devices by default display notifications on Bluetooth connection requests. Fortunately, blocking these messages on both systems is easy.
However, users must not worry about these rogue broadcasts, since they cannot directly damage recipients' devices or execute code on them. It is further suggested that users must learn how to stop the notifications in the event of ongoing pranking to avoid wasting time or aggravating themselves.