Gamified Hacking and the Flipper Zero
The world of technical security is deep and wide, and though we may have a tendency to think of our Wi-Fi, or our websites, we may fail to consider things like our garage door openers and RFID badges. Well innocent, Tamagotchi look-alikes are here to take advantage of that exact failure to consider what can be our most open vulnerabilities.
The Flipper Zero is marketed as an educational tool, and in all fairness, it’s a very good educational tool, but it’s easily used as a malicious hacking tool that can pull off complex attacks by malicious actors to compromise your environment. It’s a (forgive the jargon) sub-1GHz radio analyzer and emulator, and that opens you up to A LOT of potential vulnerabilities.
Let’s just look at some of the Flipper’s features, and how you can defend yourself from them, one by one.
Sub-1GHz Transceiver
The Flipper Zero comes with a sub-1GHz transceiver which can emulate certain keyless access systems with its 433MHz antenna and CC1101 chip. Many devices, such as garage door openers, old car keyfobs, some gate openers and IoT devices, can be vulnerable to these features. Essentially, the Flipper uses its built-in antenna to catch a transmission, and then uses that same antenna to emulate that transmission so it can act as the real remote device.
There are many who could be concerned about this, especially since an attacker wouldn’t need to be near you at all to pick up your garage door code and then use it. It come be some kid sitting on the sidewalk in your neighborhood just scanning, and when he sees you come home, and open your door, grab the code and break in while you’re away, and it’s phenomenally easy.
The defense can be multifold: you could use a higher frequency or Wi-Fi attached device instead of a sub-1GHz device, or you could use a sub-1GHz device that utilizes rolling codes for security. If your garage door opener is controlled over the Wi-Fi or network via an app, an attacker would at least have to have access to your Wi-Fi in order to manipulate your garage door. That’s harder at least. Or if your garage door transceiver utilizes rolling codes, or multi-frequency transmissions for security, then one simple bit of data captured from the original garage door opener wouldn’t do the trick - the attacker would have to gain multiple codes on multiple frequencies and send them all in order. Also, not impossible, but much harder.
125kHz RFID / 13.56MHz NFC
RFID and NFC aren’t that different - they’re really similar protocols, and the main difference between the two is frequency. NFC is a very high frequency, and RFID is a very low frequency. The reason NFC (near-field communication) is called that, is because when your frequencies get that fast, you can transmit a lot of data, sure, but that data won’t travel very far. It has to be nearby. RFID however, with its 125KHz band, can be read through walls, under skin, nearly 50 feet away.
If you’re using RFID EM-4100 or HID proximity cards, I have bad news for you, your keys are weak. An attacker need only stand next to you to scan your access key, get your codes, and emulate them for entry. In many cases, the codes stored on your proximity card are generalized, and can be easily guessed. In this circumstance, the attacker doesn’t even need to be around you to emulate your keys. You need to improve.
NFC would be a massive improvement, but it’s still vulnerable. One, access codes are longer, encrypted in some cases, and very hard to guess, so an attacker usually will have to actually have the card in their hand to get the codes. Then, it would also really need to be in their hands since they must be truly very close to the device to harvest its codes. If you want to improve from that, you still can, with encrypted high frequency NFC, or DESFire protocol cards. They use full, AES-256 bit encryption so that an attacker would have to either break AES (almost impossible) or catch the code in an unencrypted state before or after a read in order to emulate the key.
Infrared Transceiver
Many simple devices use infrared for control, and the majority of them are very innocent; TVs, fans, etc. However, there are some malicious things that can be done. Blink security cameras are vulnerable to infrared blasts confusing devices and causing errors. So for the most part, infrared isn’t really something to worry about, but check your devices for infrared receivers, and if that device causes you some concern, it’s likely best to avoid that device and go with a solution without infrared.
iButton
iButton is used regularly for apartment gate entry, and some business parks. It’s a very old technology, and has no encryption at all. It utilizes a simple diode that is placed on a button that sends electrical signals through that button to communicate codes through data, while authenticates someone for access.
If you use iButton for your gates for doors, stop. It’s time to upgrade.
BadUSB
BadUSB is the sneakiest thing that the Flipper has in its pocket, and it’s very dangerous. In short, if you see a Flipper lying around, or any USB device for that matter, don’t plug it in to your computer without testing it. BadUSB allows for the Flipper (among other hacky tools) to be recognized by a system as an HID device like a keyboard/mouse, and thus is given explicit trust. Then, scripts can have your computer do anything a keyboard/mouse can do. Copy and share files, send emails, mount a drive and exfiltrate data, change passwords, install malware, or just brick your computer by deleting key operating system files. BadUSB is BAD.
Really, behavior is the only way to protect yourself from this. As I said earlier, if you see a cable or device, never plug it in to your machine without validating its integrity. One easy way to do that with cables is with a malicious cable tester, which will simply tell you if there’s logic happening on a device you plug in to it. If it’s a normal cable, it should have no logic. So if it has logic, you should break it apart and throw it away.
Conclusions
Hire a security guy. The technical world is deep and wide, and none of us can know every little thing about it. However, if you’re concerned about your safety in a world full of kids who grew up on computers, I can say you’re thinking reasonably, and there’s always something you can do to be more ready when attackers come. And if you’d like to be consulted on any of this, reach out. We’ve helped people meander these issues before, and we’re ready to provide solutions.
