Many people in the industry love gadgets. Who would turn down a new drone, a Starlink set or even an OMG cable. Sometimes gadgets appear on the market that cause a lot of buzz and a strong need to have them. Is it always justified? Let’s check it out.
The author of the article is Michał Kucharski, better known on the Internet as M. Kucharskov. Besides surfing the Internet, one of his hobbies is exploring the secrets of electronics and automation. While working professionally in the purple team, he comes in contact with various types of gadgets related to cybersecurity.
While looking for an idea for a super-ultra-geek gift, I came across a device called the Flipper Zero, which bills itself as a “Multi-Tool Device for Geeks.” It sounds like something that fits my idea of what I would like to find under the Christmas tree. This time, however, Christmas came early and I had the Flipper Zero to play with, which allowed me to write this article.
What is FlipperZero?
Flipper Zero is a small portable device with support for many wireless protocols: frequencies 315, 433, 868, 915 MHz, NFC reader, RFID 125 kHz, Bluetooth 5.4 and infrared. Flipper is run by an STM microcontroller, which also has several GPIO outputs to which you can try connecting additional accessories.
Device graphics (Advertising material from flipperzero.one)
The device is powered by a 2100 mAh LiPo battery which, according to specifications, allows 21 days of operation without charging. A 1.4-inch monochrome display shows the status, interrupted by cute animations with a dolphin that imitates a game like Tamagotchi: the more functions we use, the higher the animal’s level.
In theory it is a device that allows you to easily carry a “Swiss army knife for wireless protocols” in your pocket in the guise of a toy. But it’s true?
Fin mania
By entering the phrase “Flipper Zero” in the search engines of popular social networks, you can come across many videos showing how to use a device smaller than a smartphone to open doors with digital locks without the use of cards, open cars without a key, breaking the lock codes and much more, activities listed in the art. 267 KK So I took my device, updated it, charged it fully and went to town looking for opportunities to play with my dolphin, whose name is Tulirba – an interesting fact is that in every device the animal is called something else!
Pinball machine reloaded and updated
Attempt no. 1 – door into an office building
Armed to the teeth with Flipper, with a hood on my head, I entered the reception of the office building. I stood so I could see the door opening with the card. I took out the device to examine the available arsenal: there were two options to use here: RFID or NFC. In the first case, the only option that makes sense is “Read”, so I had to scan someone’s card/keychain first.
Of course, I wasn’t running around the office building, groping people I passed with the device. I had my card with me, hidden in my wallet and back pocket. I turned on reading mode and held the device to scan the paper. Unfortunately, despite my best efforts, the card was not scanned, even though I specifically chose a slim wallet without RFID protection. From then on, I put all hacker scenarios out of my head. Additionally, after removing the card from the wallet, the device was reluctant to read data from the card.
You try to read a card hidden in your pants
Luckily there was another door upstairs, this time protected with NFC cards. These are sometimes hung from belts or jacket lapels and also serve as identification badges. Without much fuss, I pulled out the appropriate card, placed Flipper on it, and tried to read it. The words “Read the card, don’t move” appeared on Flipper’s screen. The device was thinking, the LED was flashing and the card was finally not read. Most likely I encountered a card reading problem, as many users have had.
Flipper struggles to detect the type of paper being scanned
I clicked through most of the options in Flipper and found the “Read Specific Card Type” option, where I could read the card as a specific selected pattern. Checking all the positions, I noted the ones that allowed the card to be read. I stopped at the door and began emulating each saved version one by one, only to end up crashing into the door to no avail.
Well… I had to prepare more for the next attempt.
Attempt no. 2 – payment cards
Calmly, at home, I took out all the payment cards I had from my wallet: from the bank card I use every day, through the “savings” card, to Revolut. The pool included both Visa and MasterCard cards. Having learned from previous problems with reading cards, I scanned them several times using both the “Read” and “Read specific card type” options. Thus equipped, I went to a nearby store to combat the self-service checkout.
Flipper was flashing on the terminal, the only thing that caught the attention of the security guard who was carefully checking whether the transaction had been completed correctly. Unfortunately I had to complete the payment over the phone. This happens because during payment processing, the payment card chip generates a token that Flipper cannot generate.
Attempt to make a payment using Flipper Zero
Furthermore, information is often found on the Internet that “Flipper Zero will (only) read the card number and sometimes the expiration date depending on the type of card”. In my case, after reading, I only learned the UID, without any information. Most likely, one of the updates removed this feature from the device or the tested cards did not include this option.
Attempt no. 3: contactless cards
After my next failure, undeterred, I sat back at home and started scanning all my cards to find some that worked. One of them is the ŚKUP city card (currently replaced by the Transport GZM system), which allows you to validate public transport tickets on ZTM buses in the area of the Upper Silesia-Zagłębie metropolis.
It was the only card that could be read quickly, always and in almost every position. I made a copy using the “Read” function and a few manual copies, selecting the corresponding templates, and then headed to the bus stop.
ŚKUP card read (number partially blurred)
I got on the bus and as soon as the reader became available, I took action. Despite the strange looks of my traveling companions, I selected the next saved cards, which unfortunately did not affect the reader in any way.
Good thing I had a validated paper ticket just in case.
Attempt no. 4 – TV in the stands
When I got off the bus I found myself near a shopping center. I decided to check out how Flipper would fare in the real wilderness: after all, there are many different types of wireless signals in the tunnel. While walking around a large store, I noticed a wall full of televisions. I looked at the dolphin: in the menu under “Infrared” there was the option “Universal Remote Controls” and then, first at the top, “TV”. I saw a small remote control that allowed me to turn off, change channels, volume and mute the TV.
Pinball machine with universal remote control activated
I chose the last option, considering it the “least invasive”. I pointed at the televisions and after a while a crossed out speaker symbol appeared on most of the screens. Success! With a smile on my face, I left the building, spreading destruction and silence behind me.
Test 5 – Defective USB
The next feature that caught my attention was BadUSB. As the name suggests, it allows you to connect Flipper via USB cable and run some “evil” scripts. By default, installed scripts open Windows Notepad for clicking beautiful logos using stamps. You have to write more scripts yourself or look for them on the Internet.
Many of the scripts found on the Internet are also ASCII machine art. Others that allow basic automated reconnaissance or cookie extraction from the browser require an external file server or Discord to load the data there, despite an SD card being inserted, which cannot serve as a storage medium. This usage is not universal and not scalable. There is nothing that works in Plug & Play mode.
One of the most interesting and significant BadUSB scripts is “top65_4digit_pin_bf”, which lists the most frequently set PIN codes on phones and allows you to test them automatically. So I set up what I thought was a simple PIN code — four zeros — and even Samsung warned me that the code was trivial. Then I connected Flipper to my phone and ran the script. 5 attempts, 30 seconds of Android lock, 5 more, 30 more seconds, a third set of 5 attempts and…? And the script predicts another interruption for 30 seconds and the phone blocked the ability to enter the PIN for a minute. When the script ran a little longer, the block was already 5 minutes. Even though I saw a PIN containing four zeros in the script, the phone locks for an hour faster than it would unlock with this method.
Stuck for 60 seconds when Flipper decides to just wait 30 seconds
Another of the few sensible machines was a script that opens a terminal window, issues a few commands, and clearly displays the Wi-Fi passwords saved in the system. Everything would work fine here if it weren’t for the antivirus! The Microsoft team was found to have flagged a specific set of commands as “malicious content”.
The attempt to run the Wi-Fi password list script failed
More tests
Still undeterred, I researched further possibilities of the device. The first place I went was the “Hub” in the official Android app for Flipper Zero. There you will find applications such as a text editor, a Morse code generator, a tuning fork and a metronome – all hacker stuff. Here, however, I also found an “RFID detector” which allowed me to check on which frequencies a particular card reader operates.
While poking around the internet, I came across an application on GitHub called “Unitemp”. It took some effort to be able to run the application on the latest version of Flipper. After completing my PhD in technical documentation and spending a few hours on the command line, I got a working program that, after connecting the appropriate sensor, allows you to turn the device into… a thermometer. Useful when standing in front of a reader in the cold, scanning successive types of cards.
A dolphin that acts as a thermometer
While searching in various forums, I also came across ready-made signals downloaded by other users that can be recorded on your device. One such device was a signal that opened the charging door in Tesla cars. I downloaded and uploaded the signal, but unfortunately when I try to transmit it Delfinek scolds me with a finger (flipper?), informing me that unfortunately this particular frequency is not available due to regional blocking.
Signal region lock screen
Summary
As you can see, the original software is not very rich in features that work out of the box. It is true that I could not catch a neighbor opening the gate or the car, but here you need to be careful not to decouple the transmitter with the receiver, emitting a previously intercepted signal.
For the price of 165 euros + taxes (almost a thousand zlotys) we receive – now I’m not afraid to write this – a toy. True, full of technology, but a toy. Furthermore, it requires considerable knowledge and programming skills to carry out any task. Unfortunately, the main “out of the box” function of this device is reduced to a universal TV remote control. At the price of a thousand zlotys? I don’t think it’s worth it, even if the craze is still there. While I was looking for an available device, I received this response from one of the distributors:
“Almost everyone sold out. Unfortunately I don’t even have the chance to buy a cheaper second hand one. People buy it for a lot of money because they are tempted by the ONE CLICK HACKED MEGA OPTIONS, they get a package, hit a wall and sell it after a week.
This is not my final word, however, as there are unofficial systems that can be uploaded to Flipper. They contain fewer locks and more integrated applications. Do you want another part? Do you have questions about the possibilities? The comments section is yours!
2024-01-24 14:37:30
#Flipper #great #tool #pentester #expensive #toy #drawer