Android Kitchen Sink: Send BLE spam to iOS, Android and Windows at once using Android app

Android Kitchen Sink: Send BLE spam to iOS, Android and Windows at once using Android app

The Kitchen Sink is a name of Bluetooth Low Energy (BLE) attack that sends random advertisement packets that targets iOS, Android, and Windows devices the same time in the vicinity. The attack is called “Kitchen Sink” because it tries to send every possible packet in the list, similar to the phrase “everything but the kitchen sink”. So far, we could run the Kitchen Sink only by using Flipper Zero device, as I explained and demonstrated in my previous blog. However, not everyone has a Flipper Zero and since we are mobile people, we need mobile apps. Thanks to Simon, we can use Kitchen Sink in a standalone Android Bluetooth LE Spam application that you can download from his GitHub. As default Android system prevention against these Fast Paring messages, Android uses a model where the same device can send only few paring (around five) notifications in a row, and then it will be automatically ignored by the system. Using Kitchen Sink, I was able to send around 30 pop-ups in the row to Samsung FE20 running Android 13.
厨房水槽是低功耗蓝牙 (BLE) 攻击的名称,它发送随机广告数据包,同时针对附近的 iOS、Android 和 Windows 设备。该攻击被称为“厨房水槽”,因为它试图发送列表中所有可能的数据包,类似于短语“除厨房水槽外的所有内容”。到目前为止,我们只能使用 Flipper Zero 设备来运行厨房水槽,正如我在之前的博客中解释和演示的那样。然而,并不是每个人都有Flipper Zero,因为我们是移动人,我们需要移动应用程序。多亏了 Simon,我们可以在独立的 Android Bluetooth LE Spam 应用程序中使用 Kitchen Sink,您可以从他的 GitHub 下载该应用程序。作为默认的 Android 系统针对这些快速配对消息的预防措施,Android 使用一种模型,即同一设备只能连续发送几个配对通知(大约五个),然后系统会自动忽略它。使用 Kitchen Sink,我能够将大约 30 个弹出窗口发送到运行 Android 13 的三星 FE20。

The app, besides “all-in-one” BLE spam, provides option to send BLE pairing messages separately to each operating system as well, see Figure 1.
除了“多合一”BLE 垃圾邮件外,该应用程序还提供了将 BLE 配对消息分别发送到每个操作系统的选项,参见图 1。

Android Kitchen Sink: Send BLE spam to iOS, Android and Windows at once using Android app
Figure 1. Bluetooth LE Spam app options
图 1.Bluetooth LE Spam 应用选项

List of notifications 通知列表

Using Kitchen Sink, Bluetooth BLE Spam app can advertise all together up to 219 different devices. For those who are interested, here is the list.
使用厨房水槽,蓝牙 BLE 垃圾邮件应用程序可以一起宣传多达 219 个不同的设备。对于那些感兴趣的人,这里是列表。

Twelve Apple Device Popups:

  •         AppleTV Setup AppleTV 设置
  •         AppleTV Pair AppleTV 配对
  •         AppleTV New User
    AppleTV 新用户
  •         AppleTV AppleID Setup
    AppleTV AppleID 设置
  •         AppleTV Wireless Audio Sync
    AppleTV 无线音频同步
  •         AppleTV Homekit Setup
    AppleTV Homekit 设置
  •         AppleTV Keyboard AppleTV 键盘
  •         AppleTV ‘Connecting to Network’
  •         Homepod Setup Homepod 设置
  •         Setup New Phone
  •         Transfer Number to New Phone
  •         TV Color Balance

Seventeen Apple Action Modals:
17 种 Apple Action 模态:

  •         Airpods Airpods耳机
  •         Airpods Pro Airpods 专业版
  •         Airpods Max
  •         Airpods Gen 2
    Airpods Gen 2 耳机
  •         Airpods Gen 3
    Airpods 第 3 代
  •         Airpods Pro Gen 2
    Airpods Pro Gen 2 耳机
  •         PowerBeats PowerBeats的
  •         PowerBeats Pro PowerBeats 专业版
  •         Beats Solo Pro
  •         Beats Studio Buds
  •         Beats Flex
  •         BeatsX BeatsX的
  •         Beats Solo3
  •         Beats Studio3
  •         Beats Studio Pro
  •         Beats Fit Pro
  •         Beats Studio Buds+

180 Android Fast Pairing devices, list is available on Flipper Xtreme Firmware GitHub.
180 种 Android 快速配对设备,列表可在 Flipper Xtreme 固件 GitHub 上找到。

And ten Microsoft Swift Paring with name Device and a number from 1 to 10. This name of a device can be customized, comparing it to the previous names which can’t be changed.
和十个 Microsoft Swift 配对,名称为 Device 和从 1 到 10 的数字。可以自定义设备的此名称,将其与无法更改的先前名称进行比较。

Comparing Flipper Zero with Bluetooth LE Spam and nRF Connect apps
将 Flipper Zero 与 Bluetooth LE Spam 和 nRF Connect 应用程序进行比较

At the time of writing this blog, if you are not having flashed dev build of Flipper Xtreme or Unleased firmware, then the Flipper has only list of five Fast Pairing Android devices, comparing to Bluetooth LE Spam app. However, this could be fixed by cloning BLE Spam branch from GitHub and build your own Flipper Zero app using flipc.
在撰写本博客时,如果您没有闪存 Flipper Xtreme 或 Unleased 固件的开发版本,那么 Flipper 只有五个快速配对 Android 设备的列表,与蓝牙 LE 垃圾邮件应用程序相比。但是,这可以通过从 GitHub 克隆 BLE Spam 分支并使用 flipc 构建您自己的 Flipper Zero 应用程序来解决。

Disadvantage of the BLE Spam app comparing to Flipper Zero is the range it covers. Using Flipper Zero, I can send popups to each system from longer distance. Even though I set the signal (TX power) to the highest in Bluetooth LE Spam app, the range is still small. When I compared nRF Connect app with Bluetooth LE Spam, I got better results for nRF Connect. However, using nRF I tested only two proximity pairing messages for Pixel Buds and TicWatch 5. Below you can see the table with range comparison in meters (m). For clarification 1 meter is equal to around 3.28 US feet.
与 Flipper Zero 相比,BLE Spam 应用程序的缺点是它覆盖的范围。使用 Flipper Zero,我可以从更远的距离向每个系统发送弹出窗口。即使我在蓝牙 LE 垃圾邮件应用程序中将信号(TX 功率)设置为最高,范围仍然很小。当我将 nRF Connect 应用程序与蓝牙 LE 垃圾邮件进行比较时,我得到了更好的 nRF Connect 结果。但是,使用 nRF 时,我只测试了 Pixel Buds 和 TicWatch 5 的两条邻近配对消息。您可以在下面看到以米 (m) 为单位的距离比较表。澄清一下,1 米约等于 3.28 美制英尺。

Targeted OS/Device or app
Flipper Zero 零鳍状肢 Bluetooth LE Spam app Bluetooth LE Spam 应用程序 nRF Connect app nRF Connect 应用程序
Android 人造人 over 15 m 超过 15 m 0.4 m 0.4 米 over 10 m 超过 10 m
iOS 50 m 50米 10 m (modals) 10 m (模态) over 12 m (modals) 超过 12 m(模态)
Windows 窗户 0.5 m 0.5 米 0.2 m 0.2 米 0.2 m 0.2 米
Signal range comparison 信号范围比较

In the video below you can see the Kitchen Sink in action.

Conclusion 结论

Based on my tests, the best area coverage has Flipper Zero, then nRF Connect and finally Bluetooth LE Spam app. I was really surprised by the nRF Connect signal strength. However, each of the apps has its benefits. Since, it is not possible to randomize proximity messages automatically using nRF Connect, to achieve the Kitchen Sink, only manually include them as advertisement packets and enable them all. Contrary, Bluetooth LE Spam app can automatize this task using the Kitchen Sink, but for some reason the range is lower than nRF Connect app. In the future, I can imagine that Bluetooth LE Spam app would come up with an option to manually pick one of the proximity messages and individually broadcast them which might as a result behave ask nRF Connect.
根据我的测试,最好的区域覆盖范围是 Flipper Zero,然后是 nRF Connect,最后是 Bluetooth LE Spam 应用程序。我对 nRF Connect 信号强度感到非常惊讶。但是,每个应用程序都有其优点。由于无法使用 nRF Connect 自动随机化邻近消息,因此要实现厨房水槽,只能手动将它们作为广告数据包包含在内并全部启用。相反,Bluetooth LE Spam 应用程序可以使用厨房水槽自动执行此任务,但由于某种原因,范围低于 nRF Connect 应用程序。将来,我可以想象蓝牙 LE 垃圾邮件应用程序会提供一个选项来手动选择其中一条邻近消息并单独广播它们,这可能会导致询问 nRF Connect。

It is important to mention that spoofing Fast Pairing messages for Android using one device, such as Pixel Buds, is limited up to five times, then they are ignored by the Android system. However, using the Kitchen Sink, theoretically it is possible to spoof 180 devices. In my testes, I was able to spoof 30 devices in the row, then Android OS started to ignored them without any user interaction, which is a great anti BLE spam feature. There are no limits or restrictions enforced by iOS or Windows operating systems.
值得一提的是,使用一台设备(例如 Pixel Buds)欺骗 Android 的快速配对消息最多只能被限制五次,然后它们会被 Android 系统忽略。但是,使用厨房水槽,理论上可以欺骗 180 台设备。在我的睾丸中,我能够欺骗一排 30 台设备,然后 Android 操作系统开始忽略它们,没有任何用户交互,这是一个很棒的反 BLE 垃圾邮件功能。iOS 或 Windows 操作系统没有强制执行任何限制或限制。



原文始发于mh:Android Kitchen Sink: Send BLE spam to iOS, Android and Windows at once using Android app

版权声明:admin 发表于 2023年11月25日 下午10:15。
转载请注明:Android Kitchen Sink: Send BLE spam to iOS, Android and Windows at once using Android app | CTF导航