Home > Features > Bluetooth Attacks

Bluetooth Attacks

Biscuit supports several BLE-based attack modes that target different platforms and device ecosystems. These tools are intended for authorized security testing only. Always ensure you have proper permission before running any attack.

To launch an attack: open the app, navigate to Bluetooth > Attacks, and select the attack type.


Sour Apple

BLE notification spam targeting Apple iOS devices. Alternates between two popup styles: action dialogs (phone migration, Apple TV setup, transfer number, Wi-Fi password, AirDrop, etc.) and device popups (AirPods, Beats headphones). Both appear on nearby iPhones and iPads automatically — no separate attack needed.

How to Use

  1. Navigate to Bluetooth > Attacks > Sour Apple.
  2. Tap Start to begin broadcasting spoofed pairing requests.
  3. Tap Stop when done.

No configuration is needed – the attack runs automatically once started.

Real-Time Stats

  • Packets – Total spoofed pairing packets transmitted
  • Rate – Approximate packets per second being broadcast

Notes

  • Affected devices: iPhones and iPads running iOS.
  • Victims will see a rapid stream of popup dialogs asking them to pair with nearby accessories, making their device difficult to use until the attack stops or they move out of range.
  • Range depends on BLE signal strength – typically effective within 10-15 meters.

Swiftpair Spam

Targets Windows 10 and Windows 11 computers by exploiting the Microsoft Swift Pair feature. Swift Pair is designed to simplify Bluetooth device pairing by showing automatic notifications when new peripherals are detected. This attack floods the area with spoofed Swift Pair advertisements, triggering a barrage of pairing notification popups on nearby Windows machines.

How to Use

  1. Navigate to Bluetooth > Attacks > Swiftpair.
  2. Tap Start to begin broadcasting.
  3. Tap Stop when done.

Real-Time Stats

  • Packets – Total spoofed Swift Pair packets transmitted
  • Rate – Approximate packets per second being broadcast

Notes

  • Affected devices: Windows 10 and Windows 11 PCs with Swift Pair enabled (enabled by default).
  • Users can disable Swift Pair in Windows Settings > Bluetooth & devices > Show notifications to connect using Swift Pair.

Samsung Spam

Notification spam targeting Samsung devices via the Samsung Quick Pair protocol. Samsung phones and tablets use Quick Pair for streamlined accessory pairing. This attack generates spoofed Quick Pair advertisements that cause repeated pairing prompts on nearby Samsung devices.

How to Use

  1. Navigate to Bluetooth > Attacks > Samsung Spam.
  2. Tap Start to begin broadcasting.
  3. Tap Stop when done.

Real-Time Stats

  • Packets – Total spoofed Quick Pair packets transmitted
  • Rate – Approximate packets per second being broadcast

Notes

  • Affected devices: Samsung phones and tablets with Quick Pair enabled.

Google Fast Pair Spam

Targets Android devices using the Google Fast Pair protocol. Fast Pair is Google’s system for simplified Bluetooth accessory pairing across the Android ecosystem. This attack floods the area with spoofed Fast Pair advertisements, triggering persistent pairing notifications on nearby Android devices.

How to Use

  1. Navigate to Bluetooth > Attacks > Google Fast Pair.
  2. Tap Start to begin broadcasting.
  3. Tap Stop when done.

Real-Time Stats

  • Packets – Total spoofed Fast Pair packets transmitted
  • Rate – Approximate packets per second being broadcast

Notes

  • Affected devices: Android phones and tablets with Google Play Services.
  • Fast Pair notifications appear as half-sheet dialogs at the bottom of the screen, which can be persistent and disruptive.

Flipper Spam

Spoofs Flipper Zero BLE advertisements. This broadcasts fake Flipper Zero BLE signals that can cause interference with nearby Flipper devices and trigger detection on Flipper-aware security tools.

How to Use

  1. Navigate to Bluetooth > Attacks > Flipper Spam.
  2. Tap Start to begin broadcasting.
  3. Tap Stop when done.

Real-Time Stats

  • Packets – Total spoofed Flipper packets transmitted
  • Rate – Approximate packets per second being broadcast

Apple Device Popup

Triggers “Your [device] is nearby” pairing prompts on iPhones for specific Beats and AirPods models. Instead of generic action dialogs, victims see a named device popup — for example “AirPods Pro” or “Beats Studio Buds” — with a Connect button.

How to Use

  1. Navigate to Bluetooth > Attacks > Apple Device Popup.
  2. Tap Start to begin broadcasting.
  3. Tap Stop when done.

Real-Time Stats

  • Packets – Total spoofed device-pairing packets transmitted
  • Rate – Approximate packets per second being broadcast

Notes

  • Affected devices: iPhones and iPads running iOS with Bluetooth enabled.
  • Each popup names a specific Apple audio accessory (AirPods, Beats headphones, etc.).

BLE Spam All

Runs all six spam types simultaneously — Sour Apple, Apple Device Popups, Swiftpair, Samsung, Google Fast Pair, and Flipper — for maximum coverage across all platforms. This is the broadest attack mode, targeting iOS, Android, Windows, Samsung, and Flipper devices at the same time.

How to Use

  1. Navigate to Bluetooth > Attacks > BLE Spam All.
  2. Tap Start to begin broadcasting all spam types.
  3. Tap Stop when done.

Real-Time Stats

  • Packets – Combined total across all spam types
  • Rate – Approximate combined packets per second

Tips

  • Use this when you want to demonstrate the breadth of BLE notification spam during a security assessment.
  • This mode cycles through all six attack types rapidly, so every platform in range is affected.

AirTag Spoof

Impersonate a specific Apple AirTag. This attack uses a previously captured AirTag’s advertisement data to make your Biscuit appear as that AirTag to nearby devices and the Find My network.

How to Use

  1. First, run the AirTag Detection scanner to detect and save an AirTag.
  2. Navigate to Bluetooth > Attacks > AirTag Spoof.
  3. Select the target AirTag from your saved detections.
  4. Tap Start to begin broadcasting that AirTag’s advertisement data.
  5. Tap Stop when done.

Real-Time Stats

  • Packets – Total spoofed AirTag advertisement packets transmitted

Notes

  • You must have at least one saved AirTag from a previous detection scan. If no AirTags are saved, the attack cannot start.
  • The spoofed advertisements replicate the original AirTag’s public key payload, making it appear as the same device on the Find My network.

General Tips

  • Range: All BLE attacks are effective within typical Bluetooth range – roughly 10-30 meters depending on the environment and obstacles.
  • Stacking: If you want to target a specific platform, use the dedicated attack for that platform. Use BLE Spam All only when you want broad, cross-platform coverage.
  • Detection: These attacks generate a high volume of BLE advertisements that are visible to anyone monitoring the Bluetooth spectrum. They are not stealthy.
  • Stopping: All attacks stop immediately when you tap the Stop button. Affected devices return to normal once the spoofed advertisements stop.