Flipper Zero with pixelated neon lines radiating from it. Image by Flipper Devices.
Revealing the FactsThe controversy behind Apple BLE Spam
September 14th, 2023

The Lies

You might have seen the blog post that Techryptic made, or the news outlets crediting him for creating an "iPhone DDoS", or YouTube videos about the matter, or none of the former.

Point is that in all of these cases, Techryptic is portrayed (and portrays himself) as a "security researcher" that discovered a serious vulnerability in iPhones which allows just about anyone with a Flipper Zero to annoy people close by to the point of their phone being unusable. On a Twitter reply he even referred to himself as "the author" of this exploit, and that his findings were relevant because "you can continuously spam it to the point of making all surrounding devices unusable".

All of this could not be further from the truth, and I'm going to prove and document it here.

The Facts

Techryptic played very little part in this whole situation, and most definitely does not deserve all the attention and praise he has received. The short of it is that he did not discover the vulnerability, he did not write the code for it, nor did he make it flood iPhones with popups and "DDoS" them. He made a YouTube video and a blog post claiming other's work as his own, and got recognized for it.

The actual timeline looks something more like this:

2019-2021: Research on Apple Continuity BLE

Groundwork on reverse engineering Apple's BLE protocol "Continuity" is laid by multiple parties, mentioned here are the ones pertaining to this situation:

2022-07-15: Haxorthematrix posts AirTag tools repo

Haxorthematrix, AKA Larry Pesce, posts on GitHub some tools to discover and create beacon packets for both registered (Find My) and unregistered (Proximity Pair) AirTags.

2022-11-15: Salmq posts custom adv code for Flipper

Salmq, AKA Salvador Mendoza, from Ocelot Offsec posts on Github the necessary gap.c code edits to use custom BLE advertisement packets on Flipper Zero, showing both registered (Find My) (on GitHub), and unregistered (Proximity Pair) (on Twitter), AirTag packets.

2022-11-24: Techryptic showcases AirTag spoof on Flipper

Techryptic takes to Twitter and YouTube to showcase the Flipper Zero fooling iPhones into showing an AirTag setup menu, just like salmq did. He did not share the code for it at this time. Given the time frame however, it would seem logical that this was based on the work posted by salmq of Ocelot Offsec a few days prior.

2023-01-15: Culturally makes Flipper Zero AirTag repo

Culturally publishes his GitHub repo with some instructions and premade files to use your own Airtag (registered, Find My packets) on Flipper, based on the tool scripts by haxorthematrix and the gap.c code by salmq.

2023-08-13: Jae Bochs spams DEFCON 31 with iOS popups

DEFCON 31 attendees notice random AppleTV and similar popups on their Apple devices, and Jae Bochs admits to being the culprit. This was with Nearby Action packets, since some of them (in particular AppleTV ones) are longer range than Proximity Pair ones (intended to be used close to the device).

2023-08-24: ECTO-1A releases AppleJuice repo

After seeing the iPhone popups at DEFCON, ECTO-1A dives into the previous research by FuriousMAC and Hexway, and makes the AppleJuice repo with renovated scripts, and adding more packet types (never documented before) by trial and error changing packet contents.

2023-09: Techryptic misleads everyone

  • 2023-09-01: Techryptic releases his blog post with the code for the videos he showed 10 months prior on 2022-11-24.
  • Unsurprisingly it is the same exact BLE adv code made by salmq, down to the structure, variable names, some comments and code formatting being identical character per character. (The rest of the gap.c file is the official Flipper Zero firmware gap.c, the relevant lines for this "exploit" were posted by salmq, in the second half of gap_advertise_start()). Keep in mind that none of the code published up until now was capable of spam/flood/DDoS, it simply emulated a single AirTag/AppleTV.
  • So for 10 months Techryptic kept someone else's public code "secret" and then re-released it as his own, with no mention of anyone else, and taking advantage of the DEFCON news. The only new thing since "his" demo on 2022-11-24 is that he added 4 more packet types, which all came from ECTO-1A's AppleJuice (proven by Techryptic's packets being identical, byte for byte, to the ones shared by ECTO-1A, including a 0xc1 which ECTO-1A used for testing and is not found on any production devices).
  • 2023-09-02: I (WillyJL) find Techryptic's Reddit post and take inspiration from that tiny bit of relevant code to make an API that apps can use and then my own basic app using it as part of Xtreme firmware (here I credited Techryptic because back then I had no idea it wasn't his work).
  • 2023-09-03: I keep researching on my own, looking at documentation by FuriousMAC and brainstorming with ECTO-1A directly. I end up understanding how the packets work, and what data can be randomized in order to make multiple popups appear. Then publish a version of the app that can spam/flood/DDoS and has 30+ new packets, with more credits for the documentation and Proximity Pairing IDs.
  • 2023-09-04: Techryptic posts a followup video and tweet saying he "collaborated with the developer of Xtreme firmware to make this into an app" (has since been cut from the video), which is false since the whole app was made by me and we now know that "his" BLE code was not made by him, and showing my app's "DDoS" functionality, with no credits or mention of me or Xtreme firmware.
  • 2023-09-05: TechCrunch writes an acticle about "Flipper Zero spamming nearby iPhones with popups", but since Techryptic made no real mention of me or Xtreme, he gets all the "praise". Even though he did not find this "vulnerability", nor did he make it flood devices with popups, the article portrays him as discovering all of this from start to finish on his own.
  • 2023-09-06: Over those few days I kept quiet and worked on improving the app, by now it uses a completely different BLE adv API fully written by me. I also start investigating the code used by Techryptic and come to the conclusions above: that he wrote none of it.
  • 2023-09-07: 0day, AKA Ryan Montgomery, features my app in a tweet, once again with wrong credits due to Techryptic's deception. I decide to speak up and let it be known that this is not his work (here I still credited him for the AirTag code, I later found out that wasn't his either as outlined above).
  • 2023-09-08: Techryptic, perhaps after realizing that this lie has far outgrown anything that he could hide, tries to cover his tracks. First by removing a line from his blog post that encouraged authors to fact check their work, and then renaming, deleting and replacing his gap.c code to hide the previous traces of ECTO-1A's research.
  • 2023-09-10: Mental Outlaw releases a video covering this exploit, and he too credits Techryptic because of his misleading blog post and tweets. Trying to explain the situation with proper credits in the comments, my account gets shadowbanned and my comments deleted, as well as most others that tried to explain the situation, so the remaining comments portray me as the problematic individual stealing the work, leaving me no way to explain myself and the horrible situation.

💀 The Mockery

Perhaps Techryptic foresaw my post on the horizon and hoped to cover his credibility a tiny bit by setting some things "straight" and silencing the rest. He tried his best but failed to realize that people remember, and Git even more so. He:

In summary Techryptic took salmq's BLE PoC code, (most likely) used haxorthematrix's AirTag tools, grabbed ECTO-1A's packet data, released "his" sub-par and misrepresented Franken-code in a blog post with no credits, showed off my app's dynamic and spam/flood/DDoS behavior (which "his" code is not capable of), and got labelled as the creator of all of it, not once trying to explain how the actual facts went. And to add insult to injury, he tried to cover up his inexcusable behaviour after the fact multiple times.

⚖️ Justice?

The sad reality is that no-one cares. The media is too busy to do the proper background checks on what they write articles about, and the actual developers that put real effort and talent into this don't have the time to burn on blog posts, or the building blocks they make are not worthy of an article by themselves, and rather should be used in bigger projects and rightfully credited.

All that I can hope is that this can be a cautionary tale for the few of you wonderful people reading this.