Unlocking the Power of the Flipper Zero

hello hey what's up guys and flip it today we're going to be talking about how we can unlock and use this little orange funny toy device called The Flipper zero with this device you can do a lot of different Wireless wired uh NFC all kinds of different tax and today we're going to be diving in and kind of explaining what you can do and we're going to show off some pretty cool examples like we got this garage door opener here we're going to show how that works so take it away I'm Jordan Bush I work as a uh government contractor on the civilian side uh on the hacker side I like to do ctfs uh PA all the devices

this is going to be my f besides talk uh started with uh Wireless text for my first did radio sounds for my second so going through the uh different Avenues here lots of fun and uh how about you my name is oh God my name is cazette maay um I have been part of the cyber security Community for about a couple years now um I originally attended University Nevada Rino from 2019 to 2021 I was originally studying electrical engineering and then of course Co hit and I had to kind of like reevaluate my game plan so then I transferred to the Metropolitan Community College of Kansas City Missouri for uh my associates degree in cyber security and on one

October or no on one September night in 2021 I walked into a sekc event and that forever changed my [Applause] life um I did put a list of contributors so unleash firmware uh rogem and of course extreme firmware uh they you know redid All the customizable firmware that you probably see on the internet getting blasted with popularity because it's um I don't know how would you explain it a lot of fun stuff everyone's making new changes to it adding their spins on things so don't try this at home we're what you call experts but really you know just be courteous of others don't try messing with people's presentations don't ruin anyone's cars or devices we're going to be having a

live demo today and I'd ask you guys just out of courtesy please don't try to follow us along I'm almost certain there are plenty of people with flippers here if you have a flipper raise your hand oh that's a lot of hands okay I was right so yeah please don't try to copy me while I'm on stage we will have a couple Demos in the RF Village later today that you can try to pick up on both rolling code and static code so I think it'll be fun all right and uh like always we like our audience to understand that this is this presentation is only for educational purposes and if anyone that decides to use these demonstrated here

today uh you've been warned of potential consequences that can come if it's not performed on your own devices before we begin uh we would like to kindly ask everyone to turn off your Bluetooth on your phone yeah gotta stay safe and uh we would also like to encourage every uh audience member here to not connect to just some random free Wi-Fi network to ask your local Village uh member or organizer uh how to safely connect to the bsides casc free Wi-Fi so thank you so we're going to be going over how The Flipper Works what the flipper is really because I'm sure some of you are thinking what the flip is this we're going to be talking exactly

over what the thing can do and as you see up here we have a couple different Technologies presented we're going to be talking about each and every one of them so oh did you want this okay so what is a flipper zero a flipper zero is this little pocket multi-tool device um launched around 2020 on Kickstarter I picked mine up in 2021 started messing with it when they were having issues with shipping people thought it wouldn't come through because of regulations I think what was it just recently the UK banned it so if you try to travel through United Kingdom airport with one of these things it's getting confiscated crazy I know Brazil I believe ban them too so they're a little

restricted when it comes to trade I mean really we're just doing things with wireless technology I don't know what's to love but some countries are not too happy with it uh group of DED dedicated Hardware Engineers from Russia made this maybe that's one reason yeah you know what's going on over there right now so we're going to show a little video of just things you can do with a flipper

doesn't oh [Applause] [Music] no

[Music] [Applause] [Music]

[Music]

[Music] a

[Music]

[Music]

it [Music] [Applause] [Music]

[Music] [Music] he

[Music] it [Music]

it [Applause]

[Applause] all right so we obviously saw a little bit of a preview of what the flipper can do now let's talk about how it all really comes together so it is ran with an STM 32 WB microcontroller it is an arm cortex M4 based MCU supports Bluetooth low energy uh 802.15.4 Wireless protocols and zigby this device incorporates a 433 millerz antenna designed for transmitted and receiving signals in that frequency paired with a cc110 01 chip a costeffective sub 1 GHz transceiver it's optimized for extremely low power Wireless operations while it's primarily intended for 433 868 and 915 millerz bands within the industrial scientific and medical and SRD short-range distance frequency Realms uh it is adaptable for

use across 300 to 348 MZ and 387 to 464 MZ and 700 and 779 to 928 millerz um this makes it suitable for applications like smart sockets iot sensors doorbells and garage doors and barriers this flipper also has a 125 khz antenna at its base with an integrated NFC module operating at 13.6 MZ paired alongside 125 khz module The Flipper transforms into an RFID device capable of functioning across both low frequency and high frequency spectrums so let's just say you bought a flipper today what do you need to do to get it working well one big thing you need to get yourself a Micro SD card goes right in this little slot down here and without it you won't really be able

to do much because you got to put all your files somewhere you're going to download a lot of pre-made files whether it be signals and firmware files custom animations media there's a lot of stuff you can do with your flipper and without any way to store it you know the thing only has like a couple megabytes of storage it's pretty important what you do after you get your storage taken care of you're going to get some firmware you can use the official firmware for the app you can just download it and connect it over Bluetooth or you can dive a little deeper like me and probably a lot of other people there are Forks of the

firmware that we mentioned earlier I'm personally running a firmware called rogem and with that I'm able to do more custom waveforms uh rolling code attacks there's a lot of new apps that you can get for it so if I do anything that you can't find in your own flipper you might consider getting custom firmware uh if you have any questions on how to do that you can find me in the RF Village later and hopefully I believe yeah we'll go from there so all right so uh we're going to get into what it can do right bad USB it is a critical security flaw that can turn USB devices into an attack platform it exploits the way that USB is designed

and operates allowing a malicious party to reprogram a USB devices firmware making it to act in unintended ways the flip the flipper zero uh with its features also includes the ability to act as a bad USB or if you guys know uh the rubber ducky uh this means I can emulate various USB devices types such as keyboards and execute uh predefined keystrokes on a connected computer Bluetooth uh is also Bluetooth low energy uh this simple protocol enables users to have wireless gadgets connected from one device to another with the convenience of ble you connect your flipper to an app enabling a flow for updates app installations and you know so much more but that's not all the

flipper zero is not just a passive observer in the Bluetooth realm but it actively engages as evidence by current popular attacks such as the Apple ble proximity pairing spammer and for a touch of nostalgic Mischief the Rick Roll attack via Bluetooth so the flipper has a sub gigahertz radio that can be used from uh practically you know lower tens of megahertz up to a gigahertz it's got a Texas instrument chip powering all that um with this device you're able to clone different remote codes and pick up on many other things sorry I'm just looking at the slides uh the device can also do fuzzing attacks where you might be able to clone somebody's remote code

that might open say I don't know a locker or something and it might just put out one code that opens one locker and there's like 20 of them so you can fuzz that signal and potentially find a way to generate the other Locker open combination codes so with a flipper you can find and debunk new kinds of attacks uh with infrared we have a little thing right here little black thing on my flipper I don't know how easy to see in the back I'm sorry uh but essentially what you're able to do is you can emulate TV remotes other kinds of remotes that also use the same kind of technology and one of my favorite things

to do is TV be gone sure some of you have heard of that uh you can integrate that on your flipper and just drive by and turn off all the TV all the TVs in a sports bar or something uh don't ask me if I've done it because I'm not going to tell you but it's fun if you do it safely uh with RFID you have the capability of being able to clone different key cards so maybe you have access cards for your building you can clone those uh you might have different key fobs that you carry around you can clone those too uh pretty much any kind of RFID key card except for credit cards

and some more specialized cards you can clone we'll talk about that a little more later all right so we're going to talk about nearfields Communications or NFC I should say it's a functions that quite dialogues between two devices plac just a few centimeters away uh how many of you guys use the wireless touch pay on your phone yeah all of us do okay um NSE tags which often store personal details can be accessed by unauthorized devices devices like The Flipper zero can potentially retrieve this um stored information um and The Flipper zero can emulate NFC tags allowing it to mirror or adopt right the identity of any tag for both experimentation and potential security exploitations including malicious

cloning of access cards or secure NFC tags um one of the most most popular attacks that's been kind of happening with NFC is uh how many of us own a Nintendo switch at home how many of us yeah uh do you guys know what amiibo is it's like you use the yeah so at the bottom of the box of the amiibo you just need to use your flipper zero to scan the bottom of it and it'll capture the NFC tag and then you can take it home with you without you know buying the whole device and uh emulate it on your Nintendo switch um I do not encourage this but it is a a current popular

vulnerability at the moment um and yes if you accidentally open up your contactless pay on your iPhone or on your Android The Flipper can pick it up from there so you've been warned you wouldn't download it amiibo would you although I do have a side note I can't take my flipper and just walk through a crowd and steal people's credit cards don't be concerned about that if you want to actually steal you're going to need something pretty large you're going to need more power coming out of a nearfield communication antenna so a little flipper like this it doesn't have enough power to steal people's credit card data so don't worry about that if you're around me or any one of

you that raised your hand earlier I think everyone should be okay all right back to where we were gpio general purpose input output as it's known it's essentially a set of pens on pretty much every microcontroller that exists The Flipper gives you good amount of pens there's a lot of expansion cards you can buy that utilize these pens um you can write your own programs to do kinds of attacks that use different custom Hardware uh for example one of the big ones is hooking up a Wi-Fi card to do Wi-Fi based attacks or hooking up a different kind of uh RF chip to try to steal people's uh keyboard credentials by sniffing keyboards over the air a lot

of different attacks for that so I like to think of it as an expansion module so we have a Wi-Fi card that runs on the expressive esp32 platform if you look on your badge you actually have one right here they make those into a module you probably could wire your flipper up directly to that if you wanted not suggesting it but what you can do with the flipper is various Wi-Fi taxs that have came out over the years essentially taking features from like the Wi-Fi pine pineapple for example um now I could be wrong about this but I don't believe you can crack Wi-Fi with a flipper so if you're looking for that just for that

reason there's better Hardware all right so I kind of wanted to show a little introduction on the Wi-Fi Wizardry with the flipper zero um through the marauder which is a firmware you have to install into the esp32 we can capture packets on the Wi-Fi network and analyze them later in addition the evil portal capabilities like replicating various logins can um let users gain access like usernames and passwords uh perform SSID deauthentication attacks and interacting with other devices on the network um these are only a few examples and these are just a few ways to get started uh one of the ways I prefer to kind of get started would be to use the um the

easy The Flipper Zer easy marer flash um I know like this kind of sounds like hard like oh you got a flash like an esp32 well it's a great way to get into firmware hacking and understanding how chips function we will be demonstrating to flash an ESP 32 with the uh flippers easy marter flash this is a great project to get started if you haven't a great hands-on experience with understanding that a chip needs firmware which is ideally a set of protocols for it to work and um just to heads up please make sure you have the latest version of python um because this will come in handy later so back on the topic of protocols

we have one that runs out of the gpio port called uart Universal asynchronous receive transmit if you look on your badge there's a couple art pins now with these this is more of an example that art is in everything and it is everywhere your router probably has it your smart devices everything you own it probably has it now for the purpose of the badge we can use it to program them that's how we up that's how we can upload our firmware now with this badge specifically in this context you have a USB port so it'd be easier just to do that instead of trying to hook up your flipper but I will say if you don't have a USB serial adapter

with you whenever you need it your flipper can function as it just plug in USB and plug in the couple pins in the top and you're able to do it it does have convenient features like that SPI chip uh flash reading is another one you can plug in just a couple SPI uh flash leads into it hook up a uh in Shi programmer and with that you're able to read write extract whatever you need to do to flash and again saving yourself on Hardware you need to put in your backpack back to RF that's my car I'm a little mischievous I don't do that to just my car there's a vulnerability in Teslas that has been known for a couple years

now uh there's a simple replay attack where you can take the superchargers open port command and open pretty much any Tesla Port the official Tesla ones just use a very low like low power signal but the flipper actually puts out more power and it will uh open any charge port on a Tesla in like a 25 ft radius please don't go to the Tesla uh store and just do that to all of them I really don't want you to ruin it oh train must be coming through garage door okay you might see what I have here I have a garage door opener I'm going to show you how we can crack into this garage door this garage

door was a Craftsman that I had in my my home I took it out replaced it with a newer one it's got rolling code security Security Plus 1.0 uh The Flipper can crack Security Plus both 1.0 and 2.0 which is currently being used in modern garage do including the one I just bought to replace this one I'm I'm sad that's not the point but we have the remote right here if I were to hit it I don't know how easy that is to hear but it's running right now I'm want to turn it back off but with a flipper I can actually come onto the screen and essentially capture the code and control it from my flipper uh

originally we had plans to actually have a camera up here and show how that works but due to complications with HDMI cables that didn't happen today if you want to see this again come to the RF Village and I'll show you just up close and personal but essentially what we're going to do is we're going to go into the sub gigahertz menu and if you want to follow along if you're watching this on YouTube or something later I'll try to explain the best I can so if you go to the sub gigahertz menu and you'll go to frequency analyzer now with the frequency analyzer feature it will show you what megahertz is being picked up right now looks like I'm

picking up some 307 MHz signal that could be the microphone actually so what I can do with the garage door opener remote is I can press the button on it and I receive the signal it says free 10 MHz so I'm going to press that again just to turn it back and what I can do on my flipper is if I go into read on the sub gz menu I guess go ahead and pull your flippers out if you want to see this just please don't transmit that's all I ask you go to read you set the frequency to the frequency that specifies it's now scanning and I don't know how easy it is to see but there's a

little blinking light in the status LED if I take my garage door uh let's see settings settings settings if I take my garage door I can actually read it out and we'll see if we can pick up the little beep The Flipper makes so I just picked up my rolling code I don't know if you heard that beep or not so on the screen it says Security Plus and it's got the key ID and serial number of this wireless key I have a send button so I can replay that rolling code it's going to generate the next rolling code in series and what I can come over here and do is just replay that code directly to the garage

door and open it

[Applause] up it's very likely you can do this to your own garage door please please don't go steal your neighbor stuff out of their garage just because you learned what you could do with one of these things there's a lot of vulnerable garage doors how about hotel cards how many of y'all have been to a hotel I'm almost certain everyone so many hotels have NFC tap cards now for their doors and just like anything they can be hacked I mean the Defcon Hotel this year was hackable I had a clone of my def or Defcon hotel room we had a party room that we had a little key for you like to go ahead and go on so

when you got your hotel key card essentially what you have to do is grab the serial number off the card you take your flipper you tap it against the hotel key card and it gives you the serial number of it so you can see screens kind of haunt me it doesn't really show up too well but the serial number of the hotel key card is on there next slide so what you do with that information is you'll come over to the hotel door and you'll actually pick up some uh responses that the door sends out that involve decrypting the signal and what you do with that is you can essentially grab the key off the door

you have to tap the door about 10 times before this works make sure that you're the only one in the hotel room hall because if you see if you're seen with a little orange or white or black device whatever color your flipper is just tapping a hotel card door people are going to think you're being a criminal so please be careful what you can do with that is you can essentially derive a key that you can use to crack the key card so there's an app on the flipper there's also an app on the phone both do about the same thing it's just the flipper has a weaker processor so using the phone is instantaneous to get the

keys from the uh door reader The Flipper itself takes about 30 seconds roughly I timed it uh with that you go back over you tap it to the card and it's going to Brute Force every single key it has in its dictionary turns out a lot of these key cards don't lock out or erase the data which is great for us and this process takes roughly 20 to 30 minutes depending on how many keys you have you might have downloaded a large preset key directory which I recommend dictionary um and when that's done you'll have a copy of your key card now what you can do is you can tap it to a clone now you can also just use your

flipper however there's a small problem with a lot of Hotel card reader doors a lot of them have protections against people using their phones to clone Hotel key cards CU when they first came out this was kind of a problem they didn't know how to solve that so what a lot of Hotel card readers have is they've lowered their frequency that they read the cards on it's just low enough that the cards themselves still work but it prevents normal NFC antennas that broadcast at the correct frequency from running so sometimes you have to go the extra mile and clone it to a physical key these physical keys cost about five bucks on Amazon they're not really hard

to procure um I'm almost certain there's somebody else with one of these here right now so I took my key and you saw that little blue key card I had I essentially went up to a door and opened it take a look at this I've clone my hotel key card onto this little tag let's go try

it it's that

easy Kaz what are you doing we got to get out of here we've already showed them what this thing can do it's only time that companies come after us the three-letter agencies there's no way none of these attacks are zero days you're really not doing anything too creative I mean for example humans have been doing replay attacks for centuries have you ever heard of this thing called a turkey call that's a replay attack so don't be concerned that you're going to break laws because you're using some known vulnerability you you can't hack all the things with one button so what you're saying is we're safe we're not going to be put on a watch list H maybe but you know maybe we'll be

put on somebody's playlist of you know videos to watch later we'll

see well Jordan's right I mean a lot of these things have been around for well you know a decade or so centuries um we see that one of the oldest is the 2004 hacking the proxy card so your you know your work Badges and everything that's been a vulnerability for some time uh relay attacks have been a problem since 2010 and low Bluetooth energy SEC uh low security with Bluetooth uh has been out since 2013 um The Flipper has not exploited anything new and maybe it's time that we stop blaming users for lack of security so look there's a bunch of devices that came out before the flipper that we essentially put into the flipper

garage doors there's open sesame that was uh back when garage doors before like the uh mid90s started using rolling code they just had static codes with dip switches and we were able to Brute Force those things in seconds that exists you can do it with the flipper too the sdrs have been around forever I did a talk on sdrs in 2021 so replay attacks have existed well before I did any of that and before this flipper came out uh the box cards again cuzette just talked about that a lot of stuff we just talked about is on this slide so flipper just unites all these things together into one small package you can carry around with you in your backpack your

pocket wherever and that's how it all works hack the

planet