This Makes Hacking TOO Easy - Flipper Zero

[TannerMcCoolman]

Banned on Amazon. Seized in Brazil. It’s capable of reading, writing, spoofing, and emulating everything from RFID to NFC, sub ghz RF to infrared, and much more. Is the Flipper Zero is too dangerous to be widely available to consumers, or is that just unfounded fear mongering?

[poochyena]

So its a device for edgy teens to be edgy

[Gokul_P]

(9:12) Which one of Logitech devices is effected by the BAD USB Vulnerability I never heard about that and i have plenty of Logitech stuff in my house If linuses Old is like 4-5 Years i think 80% of that is Vulnerable

[LeapFrogMasterRace]

I am so glad they talked about how it can just be done with a pi or Arduino I would have lost my mind if they didn't 

[Eviljuche]

*In Hermione's voice* It's "Prosvetova", not "Prosvetova"

[Nystemy]

To be fair. The flipper zero is just a neatly organized device packing a bunch of features in a fancy box.

As the video states, everything can be done already with other parts.

 

However.

It is debatable if such tools should or should not be easily obtainable.

 

Regulators can "ban" these devices, but that doesn't fix the problem.

Regulators can likewise turn a blind eye, but that also doesn't fix the problem.

 

The problem isn't devices like these. The problem is the general attitude of "why would this need security?" that is fairly common among developers. Then it is also common among developers to use insecure or frankly outdated security methods.

 

However.

There is a bit of a problem with the devices getting attacked. Not directly that they are insecure. But rather that they require serious investment to upgrade to something secure. And most people that are affected by the lack of security doesn't have the means to fix said issues either.

 

In the end.

It is a complex topic.

But the important thing is to learn that security is honestly quite important for some applications. And oftentimes, it is better to be a bit too secure than too little.

 

However, the vast majority of security issues is often due to wireless technology. Since a lot of wireless stuff for simpler applications don't care about security and frankly use the radio spectrum as if it were a cable, often only doing the bare minimum in avoiding package collisions and to ensure error correction if needed, beyond that security is not even on the list of important things to consider. And oftentimes, this works just fine.

 

If people weren't afraid of the frankly pathetic cost of running a cable, then the vast majority of these security issues wouldn't be a thing. _{(attacking cable infrastructure still happens, but that is often harder to do in practice. And often easier to detect.)}

[creesch]

1 hour ago, Gokul_P said:

(9:12) Which one of Logitech devices is effected by the BAD USB Vulnerability I never heard about that and i have plenty of Logitech stuff in my house If linuses Old is like 4-5 Years i think 80% of that is Vulnerable

The unify dongles have firmware that can updated through the unify software. So if you did that then it might be okay as they explicitly mentioned unpatched unify dongles. 

[LLL003]

I very rarely comment on anything but this was right up my wheelhouse.

This is a pretty good overview of it as a tool, and you're very correct that there's nothing it can do that couldn't have been done by someone for <$40 or so for the last 10-15 years. The only major difference is that its easily accessible, you don't need to piece modules together, just run the firmware you want and be a script-kiddie. I think this coverage is much, much better than much of what else I've seen online and from media, which is normally some breathless nonsense about the hackers are going to end the world with a microcontroller and an RF transceiver, WATCH THE EVIL PEOPLE OPEN A TESLA CHARGE PORT!. 

I do have one major criticism of the script though, at 10:30, Linus says "Is it as amoral as a HackRF one" - That's one thing I take issue with, and those words in the mouth of a regulator that lacks the tech background would be very dangerous. Fundamentally HackRF one or any other tool is just that, its a tool. It's actually a very useful tool that I've used in my day job as an engineer, SDRs are remarkably handy things to have around. I think that ascribing morality to tools based on what someone could do with one is a bit of a mistake, and the morality of their use lies solely on the person using them. HackRF one was by no means the first USB SDR transceiver, or the first to be used for security research, they were just quite cost effective compared to the competition when they were released. There are any number of tools I use in my day to day that could theoretically be used for all sorts of nefarious purposes, and there's nothing stopping Joe Bloggs off the street buying any of them. If devices similar to the Flipper Zero get legislated against, there's a high likelihood that would also affect a significant number of tools used by electronic engineers, and the world of electronics / "Maker" hobbyists.

As far as the actual security concerns, like it says in the video, there's nothing new, just bringing it to the attention of the wider public. Many of the flaws are so simple to remedy that personally I think it borders on unethical neglect by many manufacturers. Rolling codes aren't hard to implement, and there are many schemes that can circumvent the replay attacks mentioned in the video (very good quick explanation of how they work by the way).

Overall though, obviously well researched and informative to the layperson!

[manikyath]

17 minutes ago, Nystemy said:

 

It is debatable if such tools should or should not be easily obtainable.

my dad just bought a padlock.. it's shimmable, and *probably* comb-able, but at the point of it being shimmable the comb doesnt even matter anymore.

 

if padlock shims were something with mainstream availability, we might finally get people to care about padlocks that are actually more than a deterrant and an annoyance for the owner of said padlock.

 

i'm pretty glad to be out of IT for this very reason.. the idea you spend countless hours on the digital security of a place, and then the equipment is behind locks that are all shimmable, with a security system that uses cloneable credentials, and has no logging on the most important doors...

 

the only way to fix this bullshit, is to make people aware of every security hole they keep buying into. the lock industry has a *VERY* "dont talk about the dangers" attitude, which results in mistakes that we *have* fixes for to still exist 100 years after those fixes were invented. dont make digital security go the way of physical security.

 

Every place i've helped set the security up for, i could walk right in and walk off with "very secure" data. not because i did a poor job or because i know how it was set up.. just because the people who made the decisions made poor decisions out of a complete unawareness of the dangers.

 

one specific facility i'll talk about as vaguely as possible:

- the rear door is shimmable, it's probably the second most secure door in the facility (more on that below) but it's got a push to exit and it clicks shut.. and it sure as hell doesnt have a dead latch. being on the facility perimeter also means you basicly have all night to get it open.

- all the network rooms have badge readers without logging, cloneable credentials, and probably vulnerability to magnet attacks. oh, and ofcourse no door open sensors. environmental control might raise an alarm before security does.

- same doors are shimmable, vulnerable to over the door attacks, under door attacks, and hinge pin attacks.

- the vents on these doors unscrew from the outside.

- the door to the serverroom doesnt log, has no door open sensor, and is shimmable

- the most secure door in the entire facility is a door that the QA manager *saw* me casually shimming open to go get something (for security reasons i didnt have a badge, but i needed regular access to locked places.. so i found my way around.) so that door is actually SURPRISINGLY well protected against shimming... but only that door.

- all of the above security flaws are also true for the fire staircase, which leads to just about every secure area in the building.

- the very secure safe in which the backups are stored.. is in fact so old the key is cast iron and could probably be picked with a coathanger.

- this place passes monthly security audits from external companies.

 

if people arent aware of security risks, there is no mechanism to fix these issues even in the most critical places. awareness is the biggest part of security.

[Nystemy]

17 minutes ago, manikyath said:

my dad just bought a padlock.. it's shimmable, and *probably* comb-able, but at the point of it being shimmable the comb doesnt even matter anymore.

 

if padlock shims were something with mainstream availability, we might finally get people to care about padlocks that are actually more than a deterrant and an annoyance for the owner of said padlock.

 

i'm pretty glad to be out of IT for this very reason.. the idea you spend countless hours on the digital security of a place, and then the equipment is behind locks that are all shimmable, with a security system that uses cloneable credentials, and has no logging on the most important doors...

 

the only way to fix this bullshit, is to make people aware of every security hole they keep buying into. the lock industry has a *VERY* "dont talk about the dangers" attitude, which results in mistakes that we *have* fixes for to still exist 100 years after those fixes were invented. dont make digital security go the way of physical security.

 

Every place i've helped set the security up for, i could walk right in and walk off with "very secure" data. not because i did a poor job or because i know how it was set up.. just because the people who made the decisions made poor decisions out of a complete unawareness of the dangers.

 

one specific facility i'll talk about as vaguely as possible:

- the rear door is shimmable, it's probably the second most secure door in the facility (more on that below) but it's got a push to exit and it clicks shut.. and it sure as hell doesnt have a dead latch. being on the facility perimeter also means you basicly have all night to get it open.

- all the network rooms have badge readers without logging, cloneable credentials, and probably vulnerability to magnet attacks. oh, and ofcourse no door open sensors. environmental control might raise an alarm before security does.

- same doors are shimmable, vulnerable to over the door attacks, under door attacks, and hinge pin attacks.

- the vents on these doors unscrew from the outside.

- the door to the serverroom doesnt log, has no door open sensor, and is shimmable

- the most secure door in the entire facility is a door that the QA manager *saw* me casually shimming open to go get something (for security reasons i didnt have a badge, but i needed regular access to locked places.. so i found my way around.) so that door is actually SURPRISINGLY well protected against shimming... but only that door.

- all of the above security flaws are also true for the fire staircase, which leads to just about every secure area in the building.

- the very secure safe in which the backups are stored.. is in fact so old the key is cast iron and could probably be picked with a coathanger.

- this place passes monthly security audits from external companies.

 

if people arent aware of security risks, there is no mechanism to fix these issues even in the most critical places. awareness is the biggest part of security.

Push bars are often mandatory due to fire code in larger warehouses/offices/factories/public-spaces/etc. These are often indeed not all that secure. And having intrusion detection is a basic form of security.

 

Shimnable doors are quite common indeed. However, cover plates don't really stop intrusion, just slightly slow it down and leave evidence.

However. My comment were not that security should be neglected.
My comment were rather about stating why these sorts of insecurities exists and also to state one of the most common reasons for why people make these decisions to go for less secure options.

People are in general a bit more aware of physical security than IT security by far, since it is easier to understand and visualize. But yes, even physical security is often quite lacking.

[manikyath]

12 minutes ago, Nystemy said:

Push bars are often mandatory due to fire code

it's not a pushbar, and push to exit isnt the vulnerability. it's that the latch itself is self-closing, and not a dead latch (one that cannot be pushed back by itself if it's enclosed in the doorframe.)

 

13 minutes ago, Nystemy said:

However, cover plates don't really stop intrusion

but propper door fitment can make shimming exceptionally hard (see the fixed door), and the solution to shimming is also available: dead latches.

 

15 minutes ago, Nystemy said:

People are in general a bit more aware of physical security than IT security by far, since it is easier to understand and visualize. But yes, even physical security is often quite lacking.

my point isnt that, but that when the industry is hush hush about the flaws systems may have, *NO ONE* will give a hoot. like i said - monthly external audits. *one* auditor was clever enough "to have heard about this hacking stuff" so he requested a pentest.

*obviously* everything done by the propper IT staff was in order, and everything that wasnt... wasnt.

 

i hope the "awareness of the existance" of these devices into the mainstream means security audits will spend more time on physical audits (which is actually where this device lives - all the attack vectors are physical) and to stop accepting "security by obscurity" as a viable solution.

[sub68]

18 minutes ago, Nystemy said:

My comment were rather about stating why these sorts of insecurities exists and also to state one of the most common reasons for why people make these decisions to go for less secure options.

People are in general a bit more aware of physical security than IT security by far, since it is easier to understand and visualize. But yes, even physical security is often quite lacking.

Yes, Reminds me of Deviant ollam.

 

1 hour ago, Nystemy said:

It is debatable if such tools should or should not be easily obtainable.

Problem everything in the flipper zero can be easy bought separate.

Reminds me of a LPL of simplisafe that can be bypass with HAM radio gear.

the radio is a baofeng uv5r I own one to have for when I become licensed.

The thing is everyone uses these radios I have seen them everywhere from bad actors to good ones.

Yes its technically illegal to use by FCC but everyones still uses it.

[sub68]

10 minutes ago, manikyath said:

it's not a pushbar, and push to exit isnt the vulnerability. it's that the latch itself is self-closing, and not a dead latch (one that cannot be pushed back by itself if it's enclosed in the doorframe.)

Well no

[dogwitch]

they're a old joke about security. How do you make a garage door secure? When you're on vacation.

Simple unplug the power cord!!!!

[Quackers101]

nice that it was pushed about the backwardness.

calling to remove it, just because they are living in the 80s on some tech.

[Continuum]

Linus makes an off-hand comment after the outro about cute names for hacking devices. He's wrong, those aren't cute names and entirely appropriate. Both dolphins and ducks are basically sexual predators, and while ducks are limited their misdeeds within their own kind, developed dolphin brains goes ham on other pods and entirely different species.

[Im_J3r0]

15 hours ago, poochyena said:

So its a device for edgy teens to be edgy

To be honest that covers a lot of things.

[Commodore256]

I want one just because it looks like a Digivice and I might remote start my Bro's Truck, warm it up for him in the winter time..


II love the aesthetics, using that to emulate Amibos feels more cool and less cluttery than flashing NFC tags.

[ToboRobot]

I think this product doesn't really know what it is.  Is it a toy?  Or a tool for pen testers?  Does it do either really well?

 

[williamcll]

Pretty sure you can replicate most of the flipper's function on a phone, except for the GPIO.

[Nystemy]

18 minutes ago, williamcll said:

Pretty sure you can replicate most of the flipper's function on a phone, except for the GPIO.

More or less yes.
And to a degree, it shouldn't be too much fuzz to make a Aurdino or the like connect over USB to provide whatever extra features one desires. Like GPIO, or the sub GHz wireless stuff.