This Makes Hacking TOO Easy - Flipper Zero

It looks like a children's toy, but it's actually one of the most versatile hacking tools to ever hit the market.

And if you've been on TikTok in the last six months, there's a good chance you've seen people using it to change gas station signs, set off department store PA systems, and open up Tesla charging ports.

It's been deemed so nefarious that even though it is legal, shipments have been seized in the US, Brazil, and Israel, which kind of makes sense because out of the box, the Flipper Zero can read and emulate NFC, RFID, infrared, and eye button devices.

And even more worrisome is its ability to read and emulate sub-gigahertz frequencies, like the ones used in car keys, garage doors, motion sensors, doorbells, and more.

Rest assured, if there's a wireless device, this thing can find a way to attack it, disrupt it, or become it, which seems concerning, right?

But does it actually pose a risk to society or is the hysteria simply a knee-jerk reaction from the uninformed?

When we're done with the Flipper Zero, you're gonna know what's true and what is hazardous clickbait misinformation.

You'll also know about our sponsor, Build Redux.

Hey, gamers, tired of choppy performance and inconsistent frame rates?

Level up your gaming experience with Build Redux.

They'll have your new PC built and shipped directly to your doorstep.

Check them out at the link in the video description.

The fact of the matter is that once you cut through the marketing and the FUD, the actual capabilities of the Flipper Zero are not only limited, but can almost entirely be replicated using an Arduino or a Raspberry Pi, along with readily available add-on boards.

Take, for example, the sub-gigahertz transceiver feature, which mischievous folks are using to change gas signs, open locks and gates, and set off customer service announcements and Walgreens.

Customer service needed in the coffee and cold department.

According to Flipper's documentation, sub-gigahertz is handled by the Texas instrument CC1101, a chip that's been around since at least 2007 and can be purchased on Amazon, complete with antenna breakout board and free shipping for less than $10.

So is it bad that any slack-jawed yokel can go around changing the price shown on gas station signs?

Well, probably, but let's look at the bigger picture here.

If you owned a gas station, would you rather some kid came along and pranked your sign in a totally reversible manner, or would you rather that the vulnerability was exploited by someone else, someone with the kind of skills to take that $10 Amazon purchase and turn it into a far more costly incident?

Speaking from recent personal experience, I'll take the mostly harmless reminder to harden my security eight days out of the week.

The good news is that the remedy is relatively simple.

Instead of sending the same code each time for a particular action, a rolling code system uses its key hash and a counter to cryptographically generate a new code each time an action is performed.

The receiver stores a list of upcoming codes and checks the sent code against those just in case a few were missed.

Once a code is used, it's removed from the list of valid codes and the new code is generated.

According to Anna Prosvitova, flipper's head of sales, the Zero is specifically designed to not break these systems. Problem solved then.

Well, sort of.

There's bad news too.

While Ms. Prosvitova seems proud that flipper's moral code is strict enough that you don't need to worry about your car being stolen with a Zero, she also points out that not only can rolling codes be beaten, but that if a device that performed such function existed, it would also be legal.

And while they might not be as viral, she is absolutely right.

There are plenty of other hacking gadgets, like this one from Great Scott Gadgets, that do exist, can beat rolling codes, and are legal.

The HackRF was first demonstrated in 2015 at DEF CON and its party trick is that it can both jam and read the same RF signals as the flipper Zero.

This setup allows it to collect two codes from the transmitter, pass one of them along so the target doesn't get suspicious, and then keep the stolen code.

Then, as long as it stays in jamming range, it can continue to steal new codes and perform actions against the target at will.

Or, assuming it can steal enough codes, you can even make an attempt at decrypting the key.

The point here, though, is not that you shouldn't bother updating to a rolling code system, but rather that there are much more sophisticated attacks out there, and if the flipper Zero was all it took to hack your mainframe, you should be grateful for the wake-up call.

But what about low-frequency RFID, the kind that might be used to open doors at an apartment building?

The flipper can read, save, emulate, and even brute force them.

I find this function pretty unnerving personally.

In the wrong hands, it could be extremely dangerous, or even fatal.

And, in many cases, the victim would have no power to update the security practices of, say, the hotel they're staying in, or the poorly maintained apartment that they rent.

But we've gotta remember, once again, that the flipper Zero isn't doing anything particularly game-changing here, other than alerting us to the availability of these tools.

As a method of copying tags, the flipper Zero is only useful if there's either very old encryption or none at all.

If you were worried about something more modern, like the RFID on your passport getting stolen, it's probably not an issue, since that's encrypted.

It should be noted that the key is the passport's document number, expiry date, and date of birth, which is why you should always keep your passport in a safe place, like the RFID-blocking pocket of the LTT backpack, lttstore.com.

Now, I know I said that it can brute force RFID locks as well.

Thankfully, most RFID readers only read every few seconds as a way to combat this sort of attack.

So, if you were to see a flipper Zero used to crack the vault in a movie heist, you would know that the writers are taking some artistic liberties.

One thing the RFID reader is quite useful for, though, is reading pet microchips.

While they may sometimes be encrypted, it's not uncommon for them to just be raw data, and most countries that use them have some sort of central database.

These databases probably won't tell you any owner info, but they will at least tell you what agency to get in contact with to get a lost pet back to its family.

Yay.

Now, NFC is a subset of RFID, though at higher frequencies, and the flipper Zero can read, write, and emulate NFC as well.

As before, the Zero then can hack devices that are using older encryption, like Mi Fair Classic, but if you present it with anything newer, it won't be useful for much.

One exception to that, though, is tap-to-pay credit cards, which will spit out a fair bit of easily readable information, though it shouldn't include the postal or zip code, cardholder name, or CVV.

So, the attacker will likely also need access to the physical card in order to actually use it, by which point they might as well just snap a picture rather than use a high-tech doohickey.

It's even less of a danger reading a tap-to-pay credit card on someone's phone, since banking apps typically add an extra security layer by generating a new number for each payment.

Similarly, things like transit cards will only allow you to read the UID, not the full contents required for it to be usable.

Transit systems that do have security flaws related to their NFC are often quick to patch it to, as happened here in Vancouver when TransLink's tap-to-pay system rolled out in 2016.

The ability to rewrite single-use cards was being exploited by people who were using their Android's NFC system.

If you've got a Nintendo Switch, you might find one good use case for the NFC is to emulate Amiibos, but once again, you can get similar functionality with an Android phone, this time by using a bunch of single-use NFC 215 tags that can be purchased for about 30 cents a pop on Amazon.

Another functionality you could get with the Flipper Zero, but could also get with an Android device, is bad USB.

If you've seen our video on the USB rubber ducky, bad USB is very similar.

It's a keyboard emulator that can be used to stealthily execute macros and scripts on a target device using an unlicensed version of the ducky script coding language.

When we spoke to Jacoby, the creator of the largest bad USB repo on GitHub, as well as the top contributor to the payload hub for the rubber ducky, they said, when compared against something like the rubber ducky or the OMG cable, the Flipper Zero doesn't stand a chance as far as performance goes.

But if you could plug it in behind someone's setup, it could be controlled with your phone.

And then the danger rating is no longer determined by the device itself, but rather by the creativity of the threat actor.

Ah, that's an interesting and important point.

We're already recognizing this pattern where anything the Flipper Zero can do, something else can do and maybe better.

But it's the versatility that sets it apart.

The Flipper Zero can be controlled remotely from both phones and computers using their extremely slick apps.

Q-Flipper also works on the Steam Deck as demonstrated in this Reddit post by the Flipper Zero CEO.

While this type of wireless attack could be dangerous on its own, a particularly ingenious ner-do-well could take things much further with the Zero's general purpose in and out pins.

Through GPIO, add-on boards can be used to tack on features like Wi-Fi, a camera or 2.4 gigahertz RF.

It just so happens that Logitech unifying receivers also use 2.4 gigahertz RF signals with the addition then of less than $5 worth of electronics, the Zero is able to connect to old unpatched Logitech receivers and execute bad USB Ducky script without ever having to touch the computer.

That's a big yikes, but it still doesn't change our main point.

So could a Pi or an Arduino or realistically an Android phone.

So yes, the sky is the limit when it comes to the capabilities of a microcontroller and a robust GPIO system.

I mean, we've seen Geiger counters, light meters, ultrasonic distance sensors, and there's plenty of people working on new additions, but the device is not the danger.

It's the ingenuity of people and the power of the community that Flipper Devices Inc has built around their particular gadget.

I mean, it's an incredible success story.

Starting out as a Kickstarter campaign, the Flipper Zero raised $5 million and then, this is the really shocking part, delivered fully on its promises.

Not only did the Flipper team peak the interest of tens of thousands of people, they fostered a community that's willing to innovate and evangelize, which has pushed their niche gadget into the mainstream spotlight and turned it into a true Swiss army knife of hacking devices.

And if the current momentum is any indication, new add-ons, programs, and custom firmware are going to continue to extend the lifespan and utility of the device as time goes on.

Is it as good for gaming as a Nintendo Switch, as stealthy as a rubber ducky, as amoral as a hacker F1?

No, but for something so pocketable, it is shockingly decent at all of these things without crossing the line into illegality, whatever scary stories might've been told by sensationalist media personalities.

From our point of view then, the Flipper Zero has the potential for mischief and much worse, but it also has legitimate uses, the best of which is to find out if you're vulnerable to attacks that would cost a determined butt head less than a 4K monthly subscription to Floatplane without actually getting hit by them.

Then, once you're sure you're safe from the plethora of basic vectors that it can perform, well, you still have yourself a cute little electronic dolphin friend that can play Doom.

What it can't do yet though is segue to our sponsor.

Squarespace, if you wanna build a brand online, you need a website, but if you just learned how to turn on the little flashlight on your phone, how are you gonna build the whole website?

Well, Squarespace can help.

They're the one-stop, no-frills, all-in-one platform for expanding your presence on the internet.

Squarespace lets you build beautiful websites, engage with your audience, and sell anything and everything from products to content without needing to spend four years getting a website building degree.

We love Squarespace so much.

We use it here at LMG for LTX Expo and linusmediagroup.com, and its custom templates make it easy to stand out with a plethora of themes and customization options to fit your needs.

You can maximize your visibility thanks to a suite of integrated SEO features.

There's also analytic insights to help you optimize for performance so you can see what's working well and what needs tweaking.

Get started today and head to squarespace.com forward slash LTT to get 10% off your first purchase.

If you enjoyed this video, check out the shenanigans we got into with the USB rubber ducky.

Why are these devices so cutely named

and they're so insidious?