These scripts are an experimental PoC that uses Bluetooth Low Energy (BLE) to send proximity pairing messages to Apple devices.
This project is created for educational purposes and cannot be used for law violation or personal gain. The author of this project is not responsible for any possible harm caused by the materials of this project.
7/17/24
Thanks to 0DayCTF the random option has been added!
To run with random :
sudo python3 start.py --random
or
sudo python3 start.py -r -i 20
to set to it to random and the time interval to 20ms, making it more spammy.
Here is a script for Apple Proximity Pairing Notification Spoofing using Bluetooth Low Energy (BLE) advertising. The script allows you to send BLE advertisements that mimic various Apple devices, such as AirPods and Beats headphones, or even Apple TV setup messages.
Please follow in this exact order or you might run into issues with bluetooth dependencies.
git clone https://github.com/ThemeHackers/AppleBLE.git && cd ./AppleBLEsudo apt update && sudo apt install -y bluez libpcap-dev libev-dev libnl-3-dev libnl-genl-3-dev libnl-route-3-dev cmake libbluetooth-dev
⚠️ Warning
Thepybluezlibrary is broken on GitHub and needs to be installed manually
Download the latest version
pip install git+https://github.com/pybluez/pybluez.git#egg=pybluez
pycrypto is not maintained, be sure to install pycryptodome instead
pip install pycryptodomesudo pip install -r requirements.txtTo be able to run without sudo, you need to set the capabilities of the python binary to allow it to access raw sockets. This is done with the following command
sudo setcap cap_net_raw,cap_net_admin+eip $(eval readlink -f $(which python))sudo service bluetooth start
sudo systemctl enable bluetooth
git clone https://github.com/pybluez/pybluez
cd pybluez/
sudo python3 setup.py install
Several users have reported the need for a reboot after installing the bluetooth packages in order for everything to work properly.
Run hcitool dev to get a list of connected adapters
hcitool dev
Devices:
hci0 00:00:7C:00:3A:13📝 Note
If the adapter is showing ashci1you will need to edit thedev_idvariable in the scripts to match
All messages have been combined into a single app. You can now run app.py to get a list of available options.
To run the script use -d (number of message)
Example
start.py -d 13
sudo python3 start.py
Please select a message option using -d.
Available message options:
1: Airpods
2: Airpods Pro
3: Airpods Max
4: Airpods Gen 2
5: Airpods Gen 3
6: Airpods Pro Gen 2
7: PowerBeats
8: PowerBeats Pro
9: Beats Solo Pro
10: Beats Studio Buds
11: Beats Flex
12: BeatsX
13: Beats Solo3
14: Beats Studio3
15: Beats Studio Pro
16: Beats Fit Pro
17: Beats Studio Buds+
18: AppleTV Setup
19: AppleTV Pair
20: AppleTV New User
21: AppleTV AppleID Setup
22: AppleTV Wireless Audio Sync
23: AppleTV Homekit Setup
24: AppleTV Keyboard
25: AppleTV 'Connecting to Network'
26: Homepod Setup
27: Setup New Phone
28: Transfer Number to New Phone
29: TV Color Balance- FuriousMAC and Hexway for all the prior research on Apple BLE, Continuity, and building the Wireshark disector.
- Jae Bochs for exposing this to me at DEF CON 31 which made me jump into learning about BLE.
- Guillaume Celosia and Mathieu Cunche for reverse engineering Proximity Pairing