Flipper Zero

Caute_cautim · ‎12-24-2022

Hi All

Something is happening on TikTok and it is going viral, be aware and ensure you understand its capabilities:

https://www-wired-com.cdn.ampproject.org/c/s/www.wired.com/story/what-is-flipper-zero-tiktok/amp

"The $200 device is called Flipper Zero, and it’s a portable pen-testing tool designed for hackers of all levels of technical expertise. The tool is smaller than a phone, easily concealable, and is stuffed with a range of radios and sensors that allow you to intercept and replay signals from keyless entry systems, Internet of Things sensors, garage doors, NFC cards, and virtually any other device that communicates wirelessly in short ranges. For example, in just seconds, I used the Flipper Zero to seamlessly clone the signal of an office RFID badge tucked safely inside my wallet."

Remember the "Lost in Space" Series - Danger Danger Will Robinson etc.

Regards

Cautim_Cautim

ericgeater · ‎12-26-2022

Here's a tidy little compilation:

https://www.youtube.com/watch?v=u1GDUapHdUw

It's really incredible, and alarming.

-----------
A claim is as good as its veracity.

Caute_cautim · ‎12-27-2022

@ericgeaterYes it is cool, dangerous do you want to shoot the next person who has one of these?

Now think how you can protect yourselves and your organisations against it?

Regards

Caute_Cautim

ericgeater · ‎12-27-2022

The most alarming thing I can think of is door access. I've personally seen collisions happen at card readers far too often for me to have a lot of faith in those devices, let alone this tool which can copy a card easily.

-----------
A claim is as good as its veracity.

Caute_cautim · ‎07-27-2023

Hi All

An update on Flipper Zero, it now has a App store for third party applications..... Even though Amazon has banned it, it is still available.

https://www.bleepingcomputer.com/news/security/flipper-zero-now-has-an-app-store-to-install-third-pa...

Regards

Caute_Cautim

denbesten · ‎07-27-2023

I find it increasingly difficult to blame the bad actor when simple replay attacks succeed. Replay is a well-known attack vector (ca 1717) with established and long-available defenses (Asymmetric encryption/signatures (ca 1976), salting (c.a. 1973)), 2-way confirmation, etc.).

Caute_cautim · ‎07-27-2023

@denbestenOn access systems and doors?

Regards

Caute_Cautim

denbesten · ‎07-27-2023

On any communications channel.

About the time my phone got a NFC reader, I was looking at my door badge and learned that when in a "wireless charging" field, it simply starts transmitting a non-changing string one-way. Not much different than the magnetic stripe on a credit card.

The credit card companies have addressed this risk with tap-to-pay. As I understand it, they effectively do a DH key exchange, then allow the terminal to use the session key after your badge has left the field.

Somewhat wryly, I have occasionally realized I could improve my door security by making my employees tap-to-pay $0.01 to enter the building. Then, PCI and EMV controls would protect my door, but I would owe everyone a $3.65/yr raise.

Caute_cautim · ‎07-27-2023

@denbesten The price of protection and peace of mind is priceless 🙂

Regards

Caute_Cautim

ericgeater · ‎07-28-2023

@denbesten are there transaction fees on a penny?! Inquiring minds want to know!!

-----------
A claim is as good as its veracity.