Flipper Zero & BLE Spam Detector

Author: anbuinfosec
License: MIT
Version: 1.0

A Python tool that detects Flipper Zero devices and BLE spam attacks using Bluetooth Low Energy (BLE) scanning. This tool focuses on identifying malicious BLE advertisements including iOS/Android popup spam, device spoofing, and Flipper Zero presence.

---

🎯 Features

• 🚨 Accurate Flipper Zero Detection - Service UUID fingerprinting (most reliable method)
• � BLE Spam Attack Detection - iOS, Android, Windows, Samsung popup spam
• 🎨 Color-Coded Alerts - RED (critical), ORANGE (high), YELLOW (medium), CYAN (low)
• 🔔 Cross-Platform Notifications - Desktop alerts with sound (macOS, Linux, Windows, Termux)
• 📝 Smart Device Tracking - Prevents duplicate alerts, tracks attack history
• 🌍 Multi-OS Support - macOS, Linux, Windows, Termux
• 🍯 Honeypot Mode - Simulates honeypot (logs only, no radio transmission)

Detection Methods

1. Flipper Zero Detection

Service UUID Detection (Most Reliable)

• White Flipper: 00003082-0000-1000-8000-00805f9b34fb
• Black Flipper: 00003081-0000-1000-8000-00805f9b34fb
• Transparent Flipper: 00003083-0000-1000-8000-00805f9b34fb
• Nordic UART: 6e400001-b5a3-f393-e0a9-e50e24dcca9e (common Flipper service)

Name Detection

Matches device names containing: "flipper", "flipperzero", "flipper zero", "flipper-zero"

2. BLE Spam Attack Detection

🍎 Apple Continuity Spam (Manufacturer ID: 76 / 0x004C)

Detects manufacturer data hex patterns:

• 0f05c0 - Continuity Action Modal popup
• 0f0540 - Action Modal variant
• 000010 - iOS 17 crash exploit (critical)
• 071905 - Fake AirTag ("AirTag Found Moving With You")
• 071907 - "Setup New Device" prompt
• 071901 - "Not Your Device" popup
• 07190f - Fake Apple TV
• 07190f - Fake Apple Watch

🤖 Google Fast Pair Spam

• Service UUID: 0000fe2c-0000-1000-8000-00805f9b34fb
• Triggers fake device pairing popups on Android

🪟 Microsoft Swift Pair Spam (Manufacturer ID: 6 / 0x0006)

• Pattern: Manufacturer data starting with 030080
• Triggers fake Windows device setup prompts

📱 Samsung Easy Setup Spam (Manufacturer ID: 117 / 0x0075)

• 42098102141503210109 - Galaxy Buds spam
• 010002000101ff000043 - Galaxy Watch spam

🔒 Lovespouse Smart Lock Spam (Manufacturer ID: 255 / 0x00FF)

• Device flooding attacks on smart locks

3. Attack Type Detection

The detector identifies BLE spam attacks targeting various platforms:

🍎 Apple/iOS Devices

Attack Pattern	Hex Signature	Description
Continuity Action Modal	0f05c0	iOS popup spam
Action Modal Variant	0f0540	Alternative popup attack
iOS 17 Crash	000010	Device DoS exploit (Critical)
Fake AirTag	071905	"AirTag Found Moving With You"
Setup New Device	071907	Fake setup prompt
Not Your Device	071901	Ownership confusion popup
Fake Apple TV	07190f	TV setup spam
Fake Apple Watch	071913	Watch pairing spam

🤖 Google/Android Devices

Attack	Service UUID	Description
Fast Pair Spam	0000fe2c-...	Fake device pairing popups
Nearby Share	0000fd3d-...	Connection flooding

🪟 Microsoft/Windows Devices

Attack Pattern	Hex Signature	Description
Swift Pair Spam	030080	Fake Windows device setup

📱 Samsung Galaxy Devices

Attack Pattern	Hex Signature	Description
Galaxy Buds Spam	42098102...	Fake earbuds pairing
Galaxy Watch Spam	010002000...	Fake watch pairing

🔒 Other Smart Devices

Device	Manufacturer ID	Description
Lovespouse Locks	255 (0x00FF)	Smart lock flooding

4. Behavioral Detection

• Rapid Burst: 10+ advertisements per second (scanning/probing)
• Address Rotation: 5+ MAC addresses with same unknown name (spoofing)

📦 Installation

Prerequisites

• Python 3.7 or higher
• Bluetooth Low Energy capable hardware
• Platform: macOS 10.15+, Linux with BlueZ 5.43+, Windows 10+, or Termux

Install Dependencies

# Clone the repository
git clone https://github.com/anbuinfosec/flipper-ble-detector.git
cd flipper-ble-detector

# Install required packages
python3 -m pip install -r requirements.txt

Platform-Specific Setup

macOS:

• Grant Bluetooth permission: System Settings → Privacy & Security → Bluetooth

Linux:

# Add user to bluetooth group
sudo usermod -a -G bluetooth $USER

# Install notification support (optional)
sudo apt install libnotify-bin pulseaudio

Termux (Android)

⚠️ Important: Standard Termux cannot perform BLE scanning due to Android security restrictions. BLE requires system-level access that Termux doesn't have without root.

Options for Android:

1. Rooted Device + Kali NetHunter: Full BLE access with root
2. Use Desktop/Laptop: Run this tool on macOS, Linux, or Windows
3. nRF Connect App: View BLE advertisements (limited analysis)

If you have root access (Kali NetHunter):

# Install Python and required packages
pkg install python

# Install Termux API for notifications
pkg install termux-api

# Install the detector
pip install bleak

# Note: Requires root and proper BlueZ setup

Why Termux Doesn't Work:

• Android restricts BLE access to system apps
• Termux runs as a regular app (no system permissions)
• BlueZ requires D-Bus system bus (not available in Termux)
• Root + Kali NetHunter provides the necessary access

---

🚀 Usage

Default: Continuous Monitoring

# Runs until you press Ctrl-C
python3 detect.py

Timed Scan (Auto-Exit)

# Scan for 30 seconds then exit
python3 detect.py --scan-seconds 30

With Notifications & Sound (All Platforms)

python3 detect.py --notify --sound

Timed Scan with Alerts

python3 detect.py --scan-seconds 60 --notify --sound

Log to File

python3 detect.py --log detections.log

Honeypot Mode

python3 detect.py --honeypot

All Options Combined

python3 detect.py --scan-seconds 60 --notify --sound --honeypot --log detections.log

Command-Line Options

Option	Description
--scan-seconds N, -s N	Scan for N seconds then exit (default: continuous until Ctrl-C)
--log FILE, -l FILE	Append detections to log file
--notify	Show desktop notifications (works on macOS, Linux, Windows, Termux)
--sound	Play alert sound on detection (cross-platform)
--honeypot	Enable honeypot simulation (logs only)
--monitor, -m	(Legacy) Continuous monitoring (default behavior now)

📸 Example Output

╔══════════════════════════════════════════════════════════════╗
║                                                              ║
║  ███████╗██╗     ██╗██████╗ ██████╗ ███████╗██████╗         ║
║  ██╔════╝██║     ██║██╔══██╗██╔══██╗██╔════╝██╔══██╗        ║
║  █████╗  ██║     ██║██████╔╝██████╔╝█████╗  ██████╔╝        ║
║  ██╔══╝  ██║     ██║██╔═══╝ ██╔═══╝ ██╔══╝  ██╔══██╗        ║
║  ██║     ███████╗██║██║     ██║     ███████╗██║  ██║        ║
║  ╚═╝     ╚══════╝╚═╝╚═╝     ╚═╝     ╚══════╝╚═╝  ╚═╝        ║
║                                                              ║
║        BLE Spam & Flipper Zero Detector v2.0                ║
║                                                              ║
║  Author: anbuinfosec                                        ║
║  GitHub: github.com/anbuinfosec                             ║
║  License: MIT                                               ║
║                                                              ║
╚══════════════════════════════════════════════════════════════╝

[*] Starting BLE spam & Flipper Zero detector...
[*] Supported BLE spam attacks:

    🍎 Apple Devices (iOS/macOS):
        • Continuity Action Modal - Popup spam
        • Fake AirTag - 'AirTag Found Moving With You'
        • iOS 17 Crash - Device DoS exploit
        • 'Setup New Device' - Fake setup prompts
        • 'Not Your Device' - Ownership confusion
        • Fake Apple TV/Watch - Pairing spam

    🤖 Google/Android Devices:
        • Fast Pair spam - Fake device pairing popups
        • Nearby Share spam - Connection flooding

    🪟 Microsoft/Windows Devices:
        • Swift Pair spam - Fake Windows device setup

    📱 Samsung Galaxy Devices:
        • Galaxy Buds spam - Fake earbuds pairing
        • Galaxy Watch spam - Fake watch pairing

    🔒 Other Devices:
        • Lovespouse smart locks - Device flooding

    🚨 Flipper Zero Detection:
        • White/Black/Transparent models (UUID fingerprinting)
        • BadUSB/HID keyboard attacks

[*] Press Ctrl-C to stop

🚨 [!!!] FLIPPER ZERO DETECTED !!!
    Name: Flipper White
    MAC: AA:BB:CC:DD:EE:FF
    UUIDs: 00003082-0000-1000-8000-00805f9b34fb
    RSSI: -45 dBm
    [1] Attack: Flipper Zero detected by service UUID

[!] New Attack detected from: iPhone (11:22:33:44:55:66)
    [1] Attack: Apple Continuity Action Modal - iOS popup spam

Platform Notes

macOS

• Grant Bluetooth permission: System Settings → Privacy & Security → Bluetooth
• Enable Bluetooth in System Settings
• Notifications use osascript with sound (built-in)
• Alert sound: Glass.aiff

Linux

• May require sudo or membership in bluetooth group
• Check Bluetooth service: systemctl status bluetooth
• Notifications use notify-send (install: sudo apt install libnotify-bin)
• Sounds use paplay, aplay, or canberra-gtk-play

Termux (Android) ⚠️

IMPORTANT: Standard Termux CANNOT perform BLE scanning!

Why it doesn't work:

• Android restricts BLE access to system-level apps only
• Termux runs as a regular app (no system permissions)
• BlueZ requires D-Bus system bus (unavailable in Termux without root)
• The tool will show a clear error message if run on non-rooted Termux

Your options:

1. Run on Desktop/Laptop (Recommended)

   • Use macOS, Linux, or Windows for full functionality

2. Rooted Android + Kali NetHunter

   • Requires root access
   • Install Kali NetHunter
   • Set up BlueZ and D-Bus
   • Then Termux can access BLE

3. nRF Connect App

   • View BLE advertisements on Android
   • Limited analysis compared to this tool
   • Available on Google Play Store

If you have root + NetHunter:

# Install dependencies
pkg install python termux-api
pip install bleak

# Requires proper BlueZ/D-Bus setup in NetHunter

Windows

• Requires Windows 10/11 with BLE support
• Bleak library handles Windows BLE API
• Notifications use PowerShell toast notifications (built-in)
• Alert sound via PowerShell beep

⚙️ How It Works

This tool performs passive BLE scanning to detect malicious Bluetooth Low Energy advertisements:

1. BLE Scanning: Uses the bleak library for cross-platform BLE advertisement monitoring
2. Pattern Matching: Checks manufacturer data hex patterns against known attack signatures
3. UUID Fingerprinting: Identifies Flipper Zero by specific service UUIDs (most reliable)
4. Device Tracking: Maintains history to prevent duplicate alerts and track patterns
5. Behavioral Analysis: Detects anomalous patterns (burst scanning, MAC rotation)

What is BLE Spam?

BLE spam attacks exploit Bluetooth protocols to:

• Flood devices with fake pairing/setup notifications
• Crash applications or cause system instability (iOS 17 exploit)
• Social engineering via fake device popups ("AirTag Found", "Setup New Device")
• Privacy invasion through device tracking and fingerprinting

---

🎯 Detection Accuracy

• Flipper Zero UUID Detection: 99% reliable (if Bluetooth is enabled and advertising)
• BLE Spam Detection: Matches exact payload patterns from Bluetooth-LE-Spam tool
• False Positives: Minimized by using specific hex pattern matching instead of heuristics

Limitations

• ⚠️ BLE Only: Cannot detect Sub-GHz, infrared, or NFC if Flipper's Bluetooth is off
• ⚠️ Advertisement Required: Device must be actively advertising
• ⚠️ Range: Limited to BLE range (~10-30 meters typical)
• ⚠️ Passive Detection: This is a monitoring tool, not an active defense system

Security Notes

• Defensive Only: This tool is for monitoring and research purposes
• No Offensive Capabilities: Does not perform attacks, jamming, or active interference
• Honeypot Mode: Simulates honeypot in logs only, no radio transmission
• Privacy: Logs MAC addresses; use --log option responsibly

Troubleshooting

"Bluetooth is turned off"

# macOS: Enable in System Settings → Bluetooth
# Linux: sudo systemctl start bluetooth

No devices detected

1. Check Bluetooth permission (macOS: System Settings → Privacy & Security → Bluetooth)
2. Ensure target device is advertising (Flipper: Bluetooth → turn on)
3. Increase scan time: --scan-seconds 60

False positives

• Current version uses strict pattern matching to minimize false positives
• Legitimate devices won't trigger unless they match exact attack signatures

Credits

Detection patterns based on:

• Bluetooth-LE-Spam by Simon Dankelmann
• Wall of Flippers Flipper Zero UUID database

Requirements

• Python 3.7+
• bleak library (BLE scanner)
• Bluetooth Low Energy capable hardware
• macOS 10.15+, Linux with BlueZ 5.43+, or Windows 10+

License

Educational and research purposes only. Use responsibly and only on networks/devices you own or have permission to monitor.

Contributing

Found a new attack pattern? Submit an issue or pull request with:

• Attack description
• Manufacturer ID or service UUID
• Example hex payload
• Target platform (iOS/Android/Windows)

---

Disclaimer: This tool is for defensive security research and monitoring. The author is not responsible for misuse. Always obtain proper authorization before monitoring networks or devices.