Back in September, an iPhone user reported a security issue that could render an iPhone unusable with nothing but a Flipper Zero multitool and some creativity. Now, months later, Apple has still not addressed this issue in any fashion, sparking concerns.
Essentially, someone with the technical know-how could use the Flipper Zero to ping the AirPods Bluetooth connect symbol on the screen consistently to lock down a device. At the time, this was likened to a DDOS attack, which constantly pings an internet service with requests, taking it down. As 9to5Mac has pointed out, the iOS 17.2 beta does nothing to rectify this.
As of right now, the device needs to be quite close to the iPhone, and turning off Bluetooth entirely can stop it but this flaw could be exploited by users who know how to do worse. To protect yourself fully, you must turn off Bluetooth from settings – doing so from the Control Center doesn’t work.
An Apple Problem - iMore’s Take
Back when this originally surfaced, a representative of Flipper Zero spoke to iMore, claiming:
'It’s important to highlight this is impossible on the default hardware. We have taken necessary precautions to ensure the device can’t be used for nefarious purposes. Since the firmware is open source, individuals can adjust it and use the device in an unintended way, but we don’t promote this and condone the practice if the goal is to act maliciously.
Potentially, one could repurpose an Android phone with custom firmware or any Arduino-like device with BLE capabilities to do the same. This is why we agree with the researcher that Apple should implement safeguards and eliminate the problem at its core.
The Flipper Zero is not the only device capable of spoofing a Bluetooth notification, so it's a problem Apple will have to fix internally to eliminate the threat for good. Perhaps a solution such as disabling Bluetooth after a handful of pings in a row or only allowing trusted devices to ping multiple times could be a software-based fix in a future version of iOS.
Apple didn’t respond to a request for comment when the issue was first raised in September.