topic Re: Flipper Zero in Threats

Flipper Zero

Caute_cautim — Mon, 09 Oct 2023 10:24:37 GMT

Hi All

Something is happening on TikTok and it is going viral, be aware and ensure you understand its capabilities:

https://www-wired-com.cdn.ampproject.org/c/s/www.wired.com/story/what-is-flipper-zero-tiktok/amp

"The $200 device is called Flipper Zero, and it’s a portable pen-testing tool designed for hackers of all levels of technical expertise. The tool is smaller than a phone, easily concealable, and is stuffed with a range of radios and sensors that allow you to intercept and replay signals from keyless entry systems, Internet of Things sensors, garage doors, NFC cards, and virtually any other device that communicates wirelessly in short ranges. For example, in just seconds, I used the Flipper Zero to seamlessly clone the signal of an office RFID badge tucked safely inside my wallet."

Remember the "Lost in Space" Series - Danger Danger Will Robinson etc.

Regards

Cautim_Cautim

Re: Flipper Zero

ericgeater — Mon, 26 Dec 2022 14:19:14 GMT

Here's a tidy little compilation:

https://www.youtube.com/watch?v=u1GDUapHdUw

It's really incredible, and alarming.

Re: Flipper Zero

Caute_cautim — Tue, 27 Dec 2022 23:40:47 GMT

@ericgeaterYes it is cool, dangerous do you want to shoot the next person who has one of these?

Now think how you can protect yourselves and your organisations against it?

Regards

Caute_Cautim

Re: Flipper Zero

ericgeater — Wed, 28 Dec 2022 00:30:39 GMT

The most alarming thing I can think of is door access. I've personally seen collisions happen at card readers far too often for me to have a lot of faith in those devices, let alone this tool which can copy a card easily.

Re: Flipper Zero

Caute_cautim — Thu, 27 Jul 2023 05:47:54 GMT

Hi All

An update on Flipper Zero, it now has a App store for third party applications..... Even though Amazon has banned it, it is still available.

https://www.bleepingcomputer.com/news/security/flipper-zero-now-has-an-app-store-to-install-third-party-apps/

Regards

Caute_Cautim

Re: Flipper Zero

denbesten — Thu, 27 Jul 2023 14:20:40 GMT

I find it increasingly difficult to blame the bad actor when simple replay attacks succeed. Replay is a well-known attack vector (ca 1717) with established and long-available defenses (Asymmetric encryption/signatures (ca 1976), salting (c.a. 1973)), 2-way confirmation, etc.).

Re: Flipper Zero

Caute_cautim — Thu, 27 Jul 2023 20:18:32 GMT

@denbestenOn access systems and doors?

Regards

Caute_Cautim

Re: Flipper Zero

denbesten — Thu, 27 Jul 2023 21:56:04 GMT

On any communications channel.

About the time my phone got a NFC reader, I was looking at my door badge and learned that when in a "wireless charging" field, it simply starts transmitting a non-changing string one-way. Not much different than the magnetic stripe on a credit card.

The credit card companies have addressed this risk with tap-to-pay. As I understand it, they effectively do a DH key exchange, then allow the terminal to use the session key after your badge has left the field.

Somewhat wryly, I have occasionally realized I could improve my door security by making my employees tap-to-pay $0.01 to enter the building. Then, PCI and EMV controls would protect my door, but I would owe everyone a $3.65/yr raise.

Re: Flipper Zero

Caute_cautim — Fri, 28 Jul 2023 02:25:13 GMT

@denbesten The price of protection and peace of mind is priceless 🙂

Regards

Caute_Cautim

Re: Flipper Zero

ericgeater — Fri, 28 Jul 2023 13:11:11 GMT

@denbesten are there transaction fees on a penny?! Inquiring minds want to know!!

Re: Flipper Zero

denbesten — Fri, 28 Jul 2023 14:22:35 GMT

@ericgeater wrote:
@denbesten are there transaction fees on a penny?! Inquiring minds want to know!!

I do not have factual knowledge, but I do suspect it would be something "small", like $0.30 plus 3%. :-).

Re: Flipper Zero

ericgeater — Mon, 31 Jul 2023 12:56:32 GMT

So that's roughly going to be $0.32 every time someone badges in.

BOOP in the morning... *cha-ching*
BOOP returning from lunch... *cha-ching*
Dentist appointment at two? *cha-ching*

Restroom breaks? *cha-ching* and *cha-ching*

Left my umbrella in the office on a rainy afternoon? *cha-ching*

The Payment Card Industry really put themselves in the correct place.

Re: Flipper Zero

denbesten — Mon, 31 Jul 2023 17:29:02 GMT

Yep.

At some point, there will be a major vulnerability; management will ask for a solution. That's when I will pull out the "PCI got it right" card and let them work through the exact same realization that Eric did --- security costs money and outsourcers don't work for free.

Do I honestly believe leveraging PCI this way is the right solution? No. Do I believe we ought to be leveraging their pocket-to-terminal data protection expertise in other areas? Yes.