cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Caute_cautim
Community Champion

Flipper Zero

Hi All

 

Something is happening on TikTok and it is going viral, be aware and ensure you understand its capabilities:

 

https://www-wired-com.cdn.ampproject.org/c/s/www.wired.com/story/what-is-flipper-zero-tiktok/amp

 

"The $200 device is called Flipper Zero, and it’s a portable pen-testing tool designed for hackers of all levels of technical expertise. The tool is smaller than a phone, easily concealable, and is stuffed with a range of radios and sensors that allow you to intercept and replay signals from keyless entry systems, Internet of Things sensors, garage doors, NFC cards, and virtually any other device that communicates wirelessly in short ranges. For example, in just seconds, I used the Flipper Zero to seamlessly clone the signal of an office RFID badge tucked safely inside my wallet."

 

Remember the "Lost in Space" Series - Danger Danger Will Robinson etc.

 

Regards

 

Cautim_Cautim

 

 

12 Replies
ericgeater
Community Champion

Here's a tidy little compilation:

 

https://www.youtube.com/watch?v=u1GDUapHdUw

 

It's really incredible, and alarming.

-----------
A claim is as good as its veracity.
Caute_cautim
Community Champion

@ericgeaterYes it is cool, dangerous do you want to shoot the next person who has one of these?

 

Now think how you can protect yourselves and your organisations against it?

 

Regards

 

Caute_Cautim

ericgeater
Community Champion

The most alarming thing I can think of is door access.  I've personally seen collisions happen at card readers far too often for me to have a lot of faith in those devices, let alone this tool which can copy a card easily.

-----------
A claim is as good as its veracity.
Caute_cautim
Community Champion

Hi All

 

An update on Flipper Zero, it now has a App store for third party applications.....   Even though Amazon has banned it, it is still available.

 

https://www.bleepingcomputer.com/news/security/flipper-zero-now-has-an-app-store-to-install-third-pa...

 

Regards

 

Caute_Cautim

denbesten
Community Champion

I find it increasingly difficult to blame the bad actor when simple replay attacks succeed.   Replay is a well-known attack vector (ca 1717) with established and long-available defenses (Asymmetric encryption/signatures (ca 1976), salting (c.a. 1973)), 2-way confirmation, etc.).

 

Caute_cautim
Community Champion

@denbestenOn access systems and doors?

 

Regards

 

Caute_Cautim

denbesten
Community Champion

On any communications channel.

 

About the time my phone got a NFC reader, I was looking at my door badge and learned that when in a "wireless charging" field, it simply starts transmitting a non-changing string one-way. Not much different than the magnetic stripe on a credit card.

 

The credit card companies have addressed this risk with tap-to-pay.  As I understand it, they effectively do a DH key exchange, then allow the terminal to use the session key after your badge has left the field.

 

Somewhat wryly, I have occasionally realized I could improve my door security by making my employees tap-to-pay $0.01 to enter the building.  Then, PCI and EMV controls would protect my door, but I would owe everyone a $3.65/yr raise.

Caute_cautim
Community Champion

@denbesten   The price of protection and peace of mind is priceless 🙂

 

Regards

 

Caute_Cautim

ericgeater
Community Champion

@denbesten are there transaction fees on a penny?!  Inquiring minds want to know!!

-----------
A claim is as good as its veracity.