Training Isn't Enough: Hacking Hackers via Flipper Zero + Evil Portals

You ready? Go ahead with your intro.

All right, welcome everyone to uh Bside. Uh before we begin, I want to give a quick shout out to our diamond sponsor USAA and St. Mary for making this event possible. We are also reaffir uh I'll turn my over to Garrett. Um he will be discussing training is in capping hackers via flipper zero plus for uh evil courts. Um as a uh s first time please help me uh welcome here. [Applause] Thank you. Good morning besides San Antonio. Um I'm really grateful for this opportunity to be here with you all. Um, I've been to and spoken at multiple conferences and I have to say I really dig the kind of intimate and family-friendly vibes that I can always

count on um here at my local Besides. Um, on that note, I want to thank um everyone um who helped put this event together, the the sponsors, organizers, and volunteers. So, uh you applauded for me. Let's go ahead and give them a round of applause as well. So, please pass that along. Um, and you know, we don't have a like keynote where we get to do that, I think. So, that's good. Uh, my presentation, as mentioned, is entitled Training Isn't Enough: Hacking Hackers Via Flipper Zero and Evil Poles. Um, I'm Garrett Miler. I'm the owner of Enclave Defense. Um, and I moonlight as a cyber warfare operator with the Air Force Reserves. Um I specialize in um cyber uh

vulnerability and risk assessments compliance um particular uh particularly within critical infrastructure ICS OT networks. Um so if you want to chat about hacking trains, that's kind of my specialty. That's kind of what I what I got started in. Uh feel free to chat me up later. Um but as much as I love what I do, um what I'm most proud of is my beautiful wife, Julie, and our five children. Uh Julie and my two oldest are actually here today for their first cyber uh conference ever. So welcome to them. Uh Graden's 12, Maisy's 10, and they're just they're like we homeschool. They're they're nerds. Um so hope I think they'll fit in. Um Julie uh is so

supportive. She even joins me for our occasional cyroers podcast where viewers get um cyber security news from an analyst and a noob. And today is actually Julie's birthday. So, uh, happy birthday, Julie. Thanks for coming. Oh, lots of class. Lots of caps. Okay. All right. So, let's, uh, do a quick introduction of the Flipper Zero. Um, it's been around for almost 5 years now, so I'm sure many of you are familiar with it. Um, uh, but I want to make sure we're all on the same page. The Flipper Zero is basically like a Swiss Army knife of wireless h for wireless hacking, but it feels more like a Tamagotchi. Um, out of the box it does near field communication

and RFID so that you can clone like your uh your hotel room keys or your HOA pool key. Um, it also has a sub gigahertz radio for things like garage doors or even um key fobs of older vehicles um like my 2000 I have been able to successfully unlock my 2005 Ford Excursion. Um, it uh is a four-wheel drive 6.0 L turbo diesel in case anyone's into cars and trucks and uh cares. Um, but uh it also last but not least, it has infrared to control things like um projectors or TVs. Use responsibly if you're at a bar. People are really into the football games. Okay. Um but because uh it's fully open source and has GPIO pins um there's a great

community you know that um provides a lot of hardware and software modules to greatly expand the flipper zero's capabilities um such as a Wi-Fi dev board that uh you can use to do EVO portal attacks. Uh, but first let's talk about Canada. Eh, uh, fun fact about me is that I lived in Ontario, Canada for a couple of years and I sing the Canadian national anthem with more patriotism than most Canadians. Don't tempt me. Um, America's Hat has a a vibrant hacker community and I had the pleasure of speaking at NorthSack in Montreal last year and one thing I talked to them about even though it wasn't uh my topic, you see my topic was beware of infosc influencers. Uh I

kind of mentioned this that that uh the Canadian government was seriously considering for a while u banning the flipper zero. Now when when I present I like to um encourage audience engagement. So I I'll give a hundred grand to whoever correctly answers uh my questions during this presentation. Does anyone know what was the primary catalyst of the flip of zero almost getting banned in Canada? >> Oh, someone shout it out, but I'll go with Nope. Nothing to do with who said it back there. >> Car hacking. >> Car hacking. Good job. Here's 100 grand. >> All right. Come after. Come after. >> Oh, yeah. He's in the back, man. All right. Sorry. I don't want to injure. My

wife told me these wouldn't hurt anyone, so I went with these. But I Oh, okay. Wow. We got the wrong Okay. Anyways, um that's right. Uh last year in March of last year, a couple security researchers published a proof of concept um in which they demonstrated how flipper zero powered evil portal uh attack spoofing the Wi-Fi at Tesla superchargers could potentially allow uh hack attackers to gain access to the account of a social engineered Tesla owner from which they can an attacker could add their phone as a new key and thereby steal the car because Tesla if you don't know Tesla is you can use your your phone as a proxy. And once you got

once they got into account the account, they could steal the car. Kind of a proof a cool proof of concept, right? But as I'm kind of regularly preach, I preach riskbased cyber security. Uh just because something is possible doesn't mean that it's likely. But unfortunately, this uh proof of concept came out um right in the middle of a car theft crisis in Canada.

>> Sorry, a little low. says promise you'll be able to major meetings tomorrow. >> So you can see how the purpose zero uh especially after this proof of concept was published uh looked like the perfect scapegoat for Canadian politicians desperate to look like they were doing something to help solve the problem. Now, as Texans, uh, you might be thinking, well, wouldn't, you know, catching and arresting the car thieves, uh, be a solution? Yeah, but, you know, they put Grady on French fries up there. It's just a whole different world. So, uh, and to be fair, my own personal experience, by by my own personal experience, SAPD isn't really doing much to catch car seats either. Even if, uh,

you they steal a moving truck with all your personal belongings in it. Ask me how I know. All right. So, what also didn't help is that there are a bunch of fake hacker cloud chasers on YouTube greatly exaggerating or just straight up lying the flipper zero's capabilities. >> Flipper zero. >> Red light patch. It's a patch, not a module uh or firmware. It's a patch. And think of that. It turned green just as he was pointing just as he was pointing his Flipper zero at it. Okay. So now for another 100 grand u who can tell me the name of the most common IR traffic light system for emergency vehicles. No one opticom. Opticon. Opticom I think. Let

me see. I have it written down here. Opticom. No. So that's all right. Uh it operates at 15 10 to we know that it operates between 10 to 15 hertz. There's a signal generator that technically if you use like in theory if you if you if you use this like IR blaster and uh and maybe enough power if you could get more power I I don't think it's possible with the existing configuration but uh in theory it could be possible if you set it to the right hertz maybe magnify it or something but he's certainly not doing that. Okay so we got to move on. Let's talk about evil portals. I'm sure y'all have seen Wi-Fi pull uh capture portals

at hotel hotels, airports, fast food joints, among other places. So, how do we uh how can they be weaponized and turned evil? Well, uh whether you're a malicious threat actor or an ethical researcher trying to collect real world data, you're not going to make it obvious by naming the access point or SSID malicious or adding scary iconography um to the uh to the portal. No, you'll want to make it as uh realistic and legitimate looking as possible. Um here are my two success most successful evil polls. Basically, they're just fake that I'm capturing the user input and it doesn't even connect someone to the internet which I'll talk later kind of actually drives some pretty instituted behaviors. Um but

there are many pre-built like out of the box evil poles that um people can use for Google, Microsoft, Facebook, um all the major airlines. But I custom made the um Hall in America one. I'm not really like a HTML coder. I just you just basically have to take the image. I took the existing one and put the image I wanted into image to um uh B 64, you know, converter, throw that text into it, and it's fairly easy. So, um I I I custom built a Holland American one for uh in inner passage cruise that um my wife and I and and her family did and I caught uh a whopping 17 unwitting test subjects in just four days of testing. I

kind of got bored. I just kept it in my pocket at dinner um or at the shows that we went to. And it was kind of just uh I just thought I got enough. I thought I'd done enough testing during that cruise. It was like an eight-day cruise, but I only did half of it. Okay. Okay. So, some of you might be thinking right now is during this even like for ethical, you know, research legal. First, I'm not an attorney. Um, and while state law, but while state laws differ, you know, you got to there's state and federal laws, but after a careful reading of the computer fraud and abuse act, social engineering people to disclose to get

them to disclose sensitive information and not using it in any malicious way is an activity within my own personal risk uh risk tolerance threshold. So, your mileage may vary. Um, but the good news is I I I get paid too much uh to do anything malicious with this. Uh, but I I would invite you to consider um that there are plenty of other legal tools uh that use active measures to identify and even publicly disclose sensitive details about potential targets. For 100 grand, this is easy one. For 100 grand, can anyone tell me what uh this tool is? >> Oh, it's almost gone. No, >> let's shoot on. >> There you go. I kind of edited it. Uh

but that's showdan. Uh now for another 100 grand can someone tell me how you notice on the left I got CDE details. How can someone some users for free be able to search showdan uh based on CVE? Anyone know how you can get that capability for free? >> Easy feature for a free account and then uh use a use search filters. >> No, it's not a feature available for the free account. >> There's this trick. We're at a university. What is it? There you go. See you. >> Sorry. So, if you have aedu email address, just use get a free academic upgrade. You can search by CVS. It's pretty cool. Um, there are other tools besides the flip

zero capable of doing this. Uh, another 100 grand. Who uh can name that other tool? >> Pineapple. >> Yeah, the Wi-Fi pineapple. Has anyone experienced doing evil pole attacks specifically or anything else on the Wi-Fi pineapple? Do you find it user friendly? No, it's really finicky, right? And that's what a lot of people who with experience without experience in infosc don't realize is that they make it look really good the one time it works on YouTube, right? But it's very finicky. I actually I tried using it. The the the advantage to the Wi-Fi pineapple is that you can you have multiple interfaces. You can connect to the actual internet and filter them. You can act as a an evil twin and actually

filter them to the correct um Wi-Fi that they're trying to get to. Right. >> Yeah. hour or we use it for we're doing uh wireless audits. So when we're we could up local bands to see what what ranges there are. >> Yeah. But for me it just it was so much easier just to bring the flipper zero and it was more reliable and I just liked it better. Um there are different um by the way there are different firmwares. I'm using the I believe I'm using the extreme for the demo which we're going to do right now. Uh, I've also used Unleash and I think the regular one. Uh, like my pull card, for whatever reason, my HOA pull card will

not work with ex uh with extreme, but it works with the um out of the like default firmware, the the OG or whatever OEM firmware. Um, so live demo. I'm going to go ahead and switch to that right now if you'll bear with me here. Uh, let's make this a little bigger if I can or I just All right. You see that? All right. So, uh, I'm going to go to apps, Wi-Fi, evil portal, set AP name. I did this was at Walmart last last, so let's go ahead. Got no one, by the way, while I was getting my haircut. Uh, but we'll change it to besides.

So, yeah, Google uh is is kind of my go-to. It's it works really well. Uh, I'll just keep it like that even though it's not going to be Google. Save. And let's see if this works. U feeling adventurous. I just uh did uh besides one, so let's see if that works.

Gears make it a little bit easier. Obviously, it's only 2 point some limitations. It's only 2.4 GHz, not five. Um, and obviously it's got the power that it's got. Oh, whoops. Let me I left HTML. I didn't start it. Okay. Start portal. And you should be able to in Oh, it rebooted. Yeah. See, sometimes the custom ones don't work so well because they um So, let's set a different Let's just go to the Google one or American Airlines.

>> Yep, that's working. Yeah. So I I built a custom >> uh I built a custom one that said besides and it says please be professional. So this is going to be public. So don't do anything too inappropriate so that we don't lose the ability to do live demos in the future um when someone complains. All right. So uh oh let's make this bigger. So client connected just means that they haven't entered anything in. They've just connected.

Uh, some if you have a Samsung or iPhone, sometimes the capture portal it's I I haven't been able to figure how to get it up. Someone else uh Oh, there you go. Hi, Francis. And it's a secret password. Thanks, Francis. >> So, if if you if you can't get on your phone, feel free to show the person next to you. Um, this is this is benign so long as you don't put in any sensitive information, right? It's up to you what how good of a secret you want to tell me. Um let's wait for maybe one more. Someone else wants to uh share something.

I see. Oh advertise some uh gorilla marketing here for IC squared Alamo chapter. Uh I did give us if you were there I did give us a shortened version of this presentation to them. So thank you for ICS squared Alamo chapter. They're a great great group. All right, let's go back to our presentation here. Um, all right. So, sometimes sometimes people figure it out. Uh, I started to do this um a shortly after the proof of concept was developed. I got to get this uh I I was asked to ser the the white cell uh for the cyber security portion of a of a military exercise. So, I was what they called the lead artifact developer. I

helped basically put together um find uh like uh pecaps like with malicious, you know, and and and did different put different things together like little clues for the blue team to work on during the exercise. So, I thought, let's do I mean this someone could do this. Let's let's do evil portal attack. And um I think this was at like the officers club on base. Someone knew what I was doing. say I know you're doing miler. Um and then that one that there nobody cares about your spam@gmail.com they they realized this was on the cruise ship. I think after this was like day I think sometime after this I decided okay I'm going to stop doing it

on the cruise ship anymore. Someone figured out that it at least wasn't legit. B surf suggests that they might be from California. It's a great surf shop. All right. Uh so what do you think uh your most stereotypical social engineering victim? Who's mo who do you think would most be most susceptible? Go ahead. Uh I have to give some new people. New people >> anyone. It really is. Okay. Anyone ask that easy answer, but who who would you mostly get? >> Older people. >> Yeah. You think old people less of technology. My mom liter I didn't even tell my wife this. My mom literally called yesterday because she clicked on a malicious uh link and was like, "Oh,

my Facebook's locked." And I'm like, "What does the URL say? Brush your back. I'm sorry." Anyways, just restart the computer and delete the thing. I kind of tal about virus total as you can put the URL in and it popped. So, yeah, we'll mostly think of uh older people. All right, I can't Oh, new technology. I'm getting there. I have five kids, so I'm not I'm just saying. Um, but you'd be surprised out of the 48 people I I I I was able to uh uh subjects um test test subjects across eight months, I've been doing this for a year, but I took a break for like four months. I didn't anti just collected dust. So, I only

said only counted the eight months. The average age is 34. And you can see the by decade it it's the 30s, people in their 30s that were the most common uh test subject. Um, millennials, you win. Congratulations for being the most uh addicted. Uh anyone from know the name of that movie for 100 grand? >> Cle Oh, sorry. I'm a bad I'm I I do cyber security better than I feel. I swear. All right. Um All right. So, how do I how do I find out the demographics of my test subjects? Well, OSENT open source intelligence. These are some of the tools I used. Um, uh, Dehashed is a paid one. Um, it's really powerful. You can search by

email. That's another one like kind of like showdan. It uh, pay for it. I encourage everyone to pay for it for one week. You can just do like I think a day or or or a a week and see how powerful it is. Just enter in your email, enter in people's emails, enter in passwords. So, um, who's familiar with the ransomware group that recently got the most recent ransomware group leak? Most recent, it was Conti. I actually presented here on I do my independent analysis of a Ki ransomware leaks. I'll give you a hand. It's been around like the longest. >> Lockbit. Yeah, >> there you go. All right. So, uh, Lockbit Bit had this league. I'm

actually currently doing my own another independent analysis on that. And included were the user names and clear text passwords. And some of them look like passwords you would use for the same email, you know what I mean? Like a like something you would memorize, not random. And I actually did some uh uh persona analysis on using dhash. But you'd be surprised how much Pinterest came up. It was useful because people use the same the I think the the same first part of your email address because they gave you their email address, right? Sometimes clues were in the passwords, but the email address was pretty useful and sometimes I could not find anything, but then all of a sudden

I'd see the exact same really weird unique um thing for Pinterest and it would help me find out where they are or confirm that they are who I thought they were. Um, I was able to find the vast majority of people using OENT, some not, but the vast majority. Um, so here are some impressive test subjects. Uh, I caught a pediatrician cardiologist in his 30s, uh, female system engineer in her 30s. Uh, I I blurred out the, uh, the the company name as you can see. No grin. Yeah. Uh, so a med student in his 20s. Uh, also I think he he's like a a track and field athlete as well. So that's why I put that. And an attorney

in her 20s. The fun fact about the med student, he got a near perfect score on his SAT. So he's he's no he's no dummy, but he still fell for it. Um some other people I got I because I'm in the military, I happened to be around them a lot. The first person I actually ever caught was a member of the blue team on at military exercise. I was playing with it. We were out all out to dinner and I was doing it in the lobby while we were waiting or the foyer while we were waiting and I'm like, "Oh my gosh, I caught this is the first person I caught." So I said, "I caught

someone." I look up uh her Gmail address and she's one of our blue team, one of the like two blue team members for the exercise. Um I caught a total of 13 service members of various uh occupations. Uh one army guy and uh 12 air force people. Uh, and I didn't catch them all like I caught them at places like Urban Air and that and that uh restaurant. Uh, I was there for a B kids birthday party and I caught uh a military person. So, I like I use AI. So, I love how if you don't know, we wear ties. Once you get to a chief, you put a tie underneath your abus. Um, and there were some military or DoD

related. This is a big DoD community that Oh, so anyways. So, yeah, Jeff is not impressed. These people, if you don't know, DoD members all go through an every year a site awareness training. Um, and it's led by our friend Jeff here. So, you would hope that, but the cyber working doesn't really cover evil p portals. So, maybe we should add that. I don't know. Um, here are some other people. Um, a CEO, a network engineer in her 40s, uh, who is a certified ethical hacker. So, that the title is not like just clickbait. I did hack hackers. uh certified NFL ker. She's se plus I forget this. I don't know this one too well, but um this senior leader uh of an

IT company in his 50s um and cyber both. So I put these there's kind of duplicate here because it was easier than I think I ran out of uh chat GBT uh image generation. So um they were very very similar these two people. One did off one focused on offense, one focused on defense. uh one had C CCNA, the other had like a SEC plus uh networking one and they were both senior NCOs's. Uh I won't tell them who you are if they don't try to get me in trouble. I won't. But uh so what's the main takeaway here? It's not to shame these people. It's simply to say sometimes we're in a hurry. We all make mistakes. Even

well-trained people who you'd think would not fall for this have fall. Um here's some interesting behaviors. uh some passwords uh some really bad passwords um the university and the year that they graduated really made it a lot easier for OST to find or their first name and the year that they were born or the year that's I think that was the year that they were born. Um and then the fact that they you'd think like oh people would catch on if they can't if you know they enter their information and it doesn't connect to the internet. Well, some people are really determined. uh they will just give me every variation it ever used of that password. Um, so if

you can see that. Yeah. All right. So, how do we mitigate it? Right. If if I'm not against I'm a cyber security trainer in the Air Force. I do I'm a I'm a 6443 trainer for the International Society of Automation. I'm protraining. I'm not protraining. I'm just saying don't put all your eggs in one basket. The and training is maybe not even the most effective tool in many instances. So it people like know before they offer great services but they're also the ones that will part of my infosc influencers chat is you know then have anyone heard they're like 95% of cyber attacks are created by fishing or start from fishing or social engineering it's false completely false um it was it

comes from I I I traced it back so these these things sometimes will uh the problem is is that uh executives they just they they trust what they hear they just assume the most what I'm hearing the most is what I need to be doing. It's and those uh vendors, those those trainer vendors are very good at pushing false statistics, regurgitating false statistics. Um I mean it's been regurgitated by like the world uh like economic forum and stuff like that. So and even Seesaw I found like CISA Splunk um many people you can see on the my cyber mileage channel. I've got a video about that. But anyways that's is besides the point. So, I really like

this uh analysis by CISA. Um they do it every year. I had to update this because uh the last one was back in September for fiscal year 2023. They uh they analyzed 143 uh cyber vulnerability and risk assessments conducted um by by CISA and by the US Coast Guard and um looked at trends as to what they found um that what you can expect the te the techniques you can expect attacker to use across the um attack what they call the attack path. The attack path is 11 uh tactics loosely based on MITER's attack framework. Um and so you can see here like more than any other technique the abuse of valid accounts um is used by far no one comes

no technique comes close um to the use about abuse about accounts. I kind of I to fit it all and make it viewable. I took the various uh path like initial access it's 41.28. Um obviously that's a really important one because they they need access first to do anything right and then as they go through the different stages of the attack they continue to uh the do you have I think we have time do you have a question or comment? >> Yeah. Uh this uh so are we talking about like in a sing reach scenario or are we talking about like a >> so these are based uh yeah I think you know what the analysts did was they uh

looked at the vulnerabilities uh that they found in their in their vulnerability risk assessment and identified which ones are most likely to be uh to be leveraged and exploited um in an attack across those. Oh, granted uh you know because this is focused on US Coast Guard and CISA um this information could be is slightly biased in favor of critical infrastructure sectors that they give the most attention to. So my guess would be um transportation especially maritime with the US coast guard um defense industrial base energy and water and wastewater sectors um but still I think it's very interesting information um so what's the mitigation uh there you know they along with this they provided mitigations uh

what is besides training training is good but what is what are mitigations anyone >> you could uh yeah >> you can geopass >> uh geof fencing you can geo No offense to all. You can do you have multiffactor if you're not using the phone >> specifically. Now I'm using SMS. >> Yeah, >> SMS. Yeah, SMS is illeg. But mind you, if SMS is the easiest way to for an employer to get their everyone using two factor authentication, they decide well you know what if people don't have you know they don't have a authenticator app whatever it's better that they do have SMS than uh two factor authentication is not right. So I I kind of uh I agree

it's true. It's a fact that because of SIM, what a SID thropping, right? That there's a there's a risk of of um of that, but it's better certainly better than nothing. Um it keeps you from being a low hanging fruit. Uh so yeah, true factor. Oh, I think I mixed up my slides. So uh let's talk a little bit about fishing. um which is a a common way for people to get uh credentials to to leak their credentials. So uh this is a little a sneak preview. I I've submitted a I should find out in the next day or tomorrow whether or not I'm speaking in Taiwan. I found in my research that Taiwan seems to be

disproportionately targeted by rans at least lockpit ransomware affiliates um because they them and China um also there's some interesting stuff about China in there. They just pay. They They pay. So they uh have learned who pays and who doesn't. Uh so here is a this one's not from China though. This is I think in the Philippines a financial institution. Um they ended up paying 40 grand. But you can see here this is this is I know that this is what the chat looks like because in some uh at least on the on the uh affiliates on the on the lock bit affiliates hackers end because they got frustrated. They said, you know, uh, it'll be 20 grand if you pay by this

date. And then like a week, like well beyond that date, they're like, can we still honor the same price? Like you forgot the terms, you know, the conditions. And then they sent a screenshot that I can still a U for a screenshot that you can still go to and see that this is basically what it looks like on their end. Uh, the UI at least for the chat. So I I used that that I then I filled it in. I obviously you I don't have this for everyone. I kind of did my own little poor man's um uh PowerPoint graphics design. Uh but so there's the chat and he said we got we got te through fishing. A big one is to

also having the um uh the admin on the domain. Um and then here's another uh victim. Both are from Christopher. That's kind of who I'd focus on. Christopher is really targeting Taiwan. Um so here's one from Taiwan just a couple months ago in April. That's a manufacturer in Taiwan. They ended up paying Oh, I think I should The original ransom was 100K. That's not 10K. original ransom was 100k and they ended up paying 60 um which as a percentage of the revenue actually you the the manufacturer actually this is like a smaller financial institution so they actually paid a high I I also am calculating the percentage of they pay paid based on annual revenue because from the conte

ransomware leaks I found out that they are really um focused on they use like zoom info I think it is uh to understand the um revenue um annual revenue to to make their initial ransom demand as a portion of that bear race. Um so they actually paid despite it being uh they're actually des the 40,000 is being less for the financial institution they actually paid more as a percentage of their estimated annual revenue. Sometimes it's public substance it isn't. Okay. So risk mitigation what it means we mentioned two factor authentication 400 grand someone new. Sorry guys. What uh what is the picture on the right there depicting? It's an IBM video YouTube video. I it says phto.

>> We're currently on phto. But what's the common name for it? >> UB keys. So I'm taking uh this that's not exactly what this is describing. Oh, >> software version of a UB key. >> A virtual version. Think of virt. >> That was a good throw. An on a high note. >> And on a high note, that was a good throw. All right. So, yeah. Uh, pass keys. Um, for those you might be skeptical, pass keys, from what I can tell, I invite you to watch that I IBM. It is a more convenient two-factor authentication. you're using your device as as something you have and your biometrics. So, um I'm a fan of bass keys as as well as two factor

authentication uh whether it be hardware or based or not. So, that uh I think I left a good amount of time actually for some questions. Um any questions, comments? We can go back to the uh live demo. See if anyone else has been playing around. How much is your Wi-Fi module for your cost? >> Singularity cyber. >> Uh, how much did what? >> Oh, you know, it's I don't remember. Maybe like anyone know it's like maybe 50 bucks or something or 70 bucks? >> Yeah, I I bought it I bought it from the official uh Flip Azero store. It used They started selling them, I think, at $169. Now they're up at $200 uh for a

flip for just the base flipper zero. Um and I've got some other uh so I have two of them so I can kind of simultaneously test um two different uh firmwares. Uh I've got those out >> a sub gigahertz >> extender. There's also the this is a this works really well with RFID. This is the uh Chameleon Ultra. It's really small. So, I got this as a mostly as a proof of concept for training um people and in critical infrastructure. You I could keep this under my shirt and if you have your thing hanging and I have this right below my shirt hanging at the same level. I'm I'm short, right? So, maybe I put on get give them a hug and this

works very fast for RFID. It's not It's kind of clunky for NFC, but the train the people I was trained that the the large uh critical infrastructure facility I was training their their cards was RFID and so I was able to demonstrate that. Uh this is the multipass uh which is those uh traditional magstripe. Um one thing I found interesting on the cruise, I didn't have this with me. I'd known about it but I unfortunately didn't have it with me at the time. the cruise if you I don't know if other people besides Hall in America does this but they will provide your room key card just sitting outside the room that's the fast they've

determined that's the most efficient way so if someone had and they use this traditional mag swipe so um if they switch to NFC or or if not all NFC by the way like credit cards their encrypted technology won't work some hotel cards won't work as well so uh but yeah so I hypothe pathetic. You know, I'm always think I always have that evil bit set in my head. Someone could swipe cards at because you don't even need to fiddle with the flipper zero. You just buy a USB card swiper, swipe it, and then save that for later. You know, save it as the room number and do your flipper zero stuff. Prep your flipper zero stuff later. Any other questions?

>> Yeah, >> I got a two-part question. So, for your flippers, uh you had an issue earlier. Which one was your favorite firmware? That was my sorry that's got to be my wife or something. Thank you very much for the compliment. >> Uh sorry what was the question? >> He said he had mentioned uh what's one was your favorite birmware for flipper. >> So it's hard I I like extreme. Um, this can do I think the the I got I got uh evil portals working on the OEN firmware, the original firmware, but it doesn't show up at I can see on the screen. I can see on the screen um with extreme I can see as I'm getting uh test

subjects come in with the user press. The other one I can't. So, I I like Extreme, but like I said, like I had this pool card. I couldn't figure out why. Uh it had it was just it just not wasn't supported. Um and it currently is supported under the OEM. Someone did a module, but it isn't on extreme yet. So, it just kind of depends what you're using it for. You know, that you might find one firmware works better for the garage door openers or for for the sub gigahertz than other one. You know, the OEM has made some the original firmware has made a lot of progress. They have a lot of modules. is. So, I would I would

kind of play with OEM and and uh extreme, but I I kind of like extreme at least for evil portals. >> Okay. Okay. And since you mentioned OEM, I would imagine in the open library, there's probably been a lot of users that's been customizing firmware, used to add features or take away, make it a little bit more uh diverse. >> Yeah. Yeah. I mean, the open source community is is incredible for um uh one one I'll give you an example. Um, you can, you know, you can upload just the files. I haven't done this yet on my GitHub. I should, but yeah, I've got a bunch of remotes for air conditioners that I've r for weird things, right? So,

I I was thinking I should put that on GitHub so that someone who might have this old remote and lost it and someone wants to charge like $100 for on eBay, if they want to buy a $200, you know, flipper zero, they could uh use that file. So other people have uploaded um so the call systems there's like a call button in some places like um CVS and Walgreens um you push a button it says customer service needed in the cosmetics department um they people have uploaded those individual files and there's one evil one that like just goes through every department. Um, I with with permission, like I said, I'm an ethical hacker. With permission, I did one at my

local Walgreens. Um, and oh, actually, maybe I told them after the fact. They were confused. They But I told them and I bought something or something to make it make them feel better about it. Um, I they were confused um because they actually removed the system. Their call buttons are no longer in there, but they left the like the underlying system, you know, server in there. And so they're like, "What? I haven't heard that in a year or so." Anyways, um so your question was basically about the the community, right? Yeah. Um now some some and and you know some might be picked up by one firmware before another one. So you just it depends what you want what

new capability you're you're looking for. >> Uh I got a couple more minutes. I ended actually early. I was worried I wasn't going to have enough time. >> Um yes. >> Have you ever like caught somebody Kyle, you're doing approach you. >> Uh, they haven't approached me. No. No. Because that's a great thing about obviously I was caught out at one slide. Uh, you know, demonstrated I I someone knew it was me. I I probably told them and show them what I was doing. Um, by the way, like I have had I don't want to call anyone out. I had I had senior leadership. I'd asked permission to do this in my own squadron. Fortunately,

uh, no one got caught. Uh, but I have I do get permission sometimes if it's if I'm in like kind of a a sensitive environment. But um, no, it's because it's so um it's so uh discreet or right. That's the word I'm looking for. You just put it in your pocket, put in your backpack, and they have to be pretty close by. Oh, I I didn't put I was going to put my picture. I went I supported a military exercise in Hawaii recently and I got a lot of people on the flight from Hawaii to DFW and I took an I don't really hide it at at you know I took a picture of it

uh on top of the seat with all the people in the background. Um I was doing American Airlines is what I was trying then. Um I put it up intentionally when I go to airports I put up high. I want you know to attract I use it most of this one this research just to see the demographics of people who were were susceptible to this but two to kind of attract fellow hackers if someone recognizes what it is. So I was doing it at a restaurant in in Hawaii while I was there and someone's like is that a poopu and he was a young college student. I told him about it and it was a

interesting conversation we had. But no, no one's uh successfully identified like said, "Hey, you just you just uh I I just put my information in, looked around when it didn't work, and I see you delete my information." Um, so anyways, any other questions? >> Yeah, we have a couple more minutes otherwise we can cut early. Yeah, in the back. >> How do you graphics? >> Um, yeah. So, I use open source intelligence that that one slide with all the different tools, dash. So um but to elaborate a little bit I'll uh start with their email address and just you know you can just in parenthesis I look for the exact email address or um sometimes it's I mean a lot of times

it's first last name and if it's not if it's a fairly is there a lot of people you know have professional email addresses and that's what they primarily use as their primary email address just search their if especially if it's a unique or you know I I can use where I caught them as an indication you know what I mean or or in Seattle I did it at Uh what's it called? Pikes or >> place. >> Pikees place. Right. So like okay if if I find someone with that name I'm going to start with Seattle and just it's a it's a I'm pretty good at Osit that one slide. You know I will find you. I have

skills. Uh so but it is hard. It gets harder when you have a common name. Um or maybe something there's you don't have anything sensitive like a university in your um in your password or something like that. >> Yeah. So touching on to your >> background. Uh so do you see any risk uh a future of like say a spot as like a crowd using a similar tool to engine networks that you walk around where you're see something similar. So >> so in critical infrastructure um Wi-Fi generally is not used for critical processes. I had a a train um uh I was working a train project in Canada actually and they were so obsessed about

Wi-Fi but the only thing it was WPA2 encrypted they assured me that the password was long and unique. Um, and the only thing it's used for is when the train goes into the depot, it d it it it removes the the logs, um, trouble logs and counts and stuff like that, um, for at the end of the day. So, I I I said, uh, if you're confident, I I had to caveat it, but they're like worried about brute forcing like, no, if it's a truly unique, if it's not, you know, if it's a truly unique password, it's long, no one's going to do an offline. It takes, you can see the things. it takes like thousands of years to brute brute

force. Uh uh so what they do is they use dictionary attacks. So anyways to answer your question um it's something that should be considered but there's typically a lot and especially in critical infrastructures like this train had no they're obsessed about the Wi-Fi. It had no network access controls. I was able just to if I can sneak in or and that that the equipment the door was using a a generic maintainer key that anyone can buy off of Amazon. So, if I just and I planted in a a travel Wi-Fi router and just plugged it in, the only tricky thing was it's industrial Ethernet, not your RJ45 connection. You just screw it in and uh I was a and

there's no it gave me an IP address and I was able to do a denial service attack and and force the train to a stop. So, but even then you have to contextualize and uh that risk if someone really wanted to force if the end impact was a force stop of the train. They could have just uh rent or steal because that's really popular in in Canada ste or steal a truck and just park it. It's above it was a it was a surface level uh light rail. They could just drive it onto the track. That's I I assess that that's more likely than someone taking the risk of dressing up like an employee, implanting something and then doing the

attack. So >> uh so yeah generally it is something that needs to be considered but I find most critical infrastructure uh systems and and networks have higher things that are prioritized. Well thank you very much. We'll get ready for the next uh person. Thank you.

>> I am LinkedIn. Yeah I am I am on LinkedIn enclave defense.com or find cyber mileers on YouTube.