Incompatibility with iOS versions below 16

[ExME168]

I've tested both the Linux version (through a Kali VM and a BLE 5.3 adapter) and the ESP32 implementation (with a NodeMCU ESP32) on two iPhones: an iPhone X and iPhone 4S running iOS 14 and 10 respectively. Neither of them work. It seems that this only works on iOS 16 because this attack is dependent on the popup notification in the photos, which seems to only be available on iOS 16.

[ExME168]

I borrowed a 2nd generation Airpods and retested the ESP32 version on the iPhone X running iOS 14. It turns out the popup thing does show up in iOS versions before iOS 16. My popup notification told me that it detected Airpods that weren't mine so it shows that the spoofing did work. However, this does not happen constantly. I ran the ESP32 code more than 20 times and only two of those attempts brought up the pop-up notification.

[ckcr4lyf]

Were you trying it with the same device all the time? Or looping through devices?

[ExME168]

By device, do you mean the device data in AppleJuice's code (i.e., airpods). If so, I've just been using the Airpods and Airpods Gen 2 data in most of my tests. Sometimes I use the data of the Beats headphones but that doesn't work too.

[ckcr4lyf]

Sorry yeah, I meant the device you're advertising as. I tried it on a Linux laptop with Airpods, and it is a bit of a hit and miss, definitely not rapid fire DoS kinda thing.

I am going to try cycling between 5 devices, changing it every 5 seconds, and see if that helps.

I have a ton of ESP32's at home (well like 4-5) so I will try running it in parallel on all of them as well and see if it makes a difference. Will post my results here.

[ExME168]

Good luck with that. Btw I modified the ESP32 code to include the ability to choose advertisement types: https://github.com/ECTO-1A/AppleJuice/pull/25. I've discovered that the Airpods Gen 2 advertises ADV_SCAN_IND type packets when the case lid is opened but then advertises ADV_NONCONN_IND type packets when the rear case button is held down (I think this is the pairing mode). The default ESP32 code only advertises ADV_IND type packets. Switching packet types may increase the possibility of the popup notification appearing.

[IscarioteSXIII]

I'm not an Iphone user, so I was only able to borrow an Iphone 5S, and despite many tries, I wasn't able to exploit it successfuly. I'm gonna try with another device soon.

Many thanks for your great work !!

[ECTO-1A]

This has been tested with iOS 14.2-17.0 and confirmed working. Some issues have been found if the device is set for certain languages.