What is a Flipper Zero?

As you all can probably tell by now, I am somewhat of a geek. Now, I don’t sit in the dark all day with pizza stains on my t-shirt muttering to myself in Klingon, but I do occasionally dabble in some pretty cool tech. One of those cool pieces of tech is this neat little device affectionately called the Flipper Zero.

I’d been hearing about these devices for years. They were really popular among pranksters and pen-testers (people who test digital security systems using penetration tactics), but I’d never taken the plunge and gotten one for myself. The pandemic came and the supply chain situation developed and it became practically impossible to get one. So it just kind of fell by the wayside. Then, one day a few weeks ago, I was perusing this article, and figured I needed to go ahead and get my hands on one just in case, especially since they seemed to be available again.

After ordering, I waited expectantly for almost 2 weeks. Apparently, Flipper Zeros ship out in batches, because mine sat in an LA warehouse for almost a week after I ordered it. However, when it did arrive, the box included the WiFi dev board and a silicone case that I had ordered, so at least everything was packaged together. The WiFi Ddev board is based on the ESP32-S2 MCU with custom firmware incorporating Black Magic Debug and CMSIS-DAP, so there is a TON of application if you want to flash firmware onto to use as an Evil Portal or a WiFi Marauder.

Flipper Zero is almost like a multitool for hackers. It can interact and emulate all different types of signals that are used for security in our digital world.

Some of the cool features that it has are

• a CC1101 transceiver for sub-GHz signals
  • has a range of 50 meters
  • used in garage door remotes, keyless systems, and IoT (Internet of Things) devices
  • Has a frequency analyzer so you can see the signals in the air around you.
• RFID
  • emulates low-frequency (125 kHz) proximity cards (like some apartment keys)
  • This type of card stores only an N-byte ID with no authentication mechanism
• NFC
  • emulates high-frequency (13.56 MHz) proximity cards
  • works the same as the RFID module, allowing users to interact with NFC enabled devices
• Bluetooth
  • emulates a Bluetooth Low Energy (BLE) device, meaning devices like your phone or computer can see it as a peripheral device.
  • This can be used to implement spam attacks to lock up phones and computers, or do less malicious things like updates your firmware, share keys, or manage your data on a larger screen.
• Infrared Transceiver
  • transmits signals to control devices like ACs, TVs, stereo systems, etc.
  • there are databases on GitHub and the like where the Flipper community has created HUGE repositories of IR signals for various devices
  • If the signal you need isn’t there, and you have a remote, you can map your remote with a few simple button clicks.
• iButton
  • The Flipper has a 1-Wire connector to read iButton contact keys. This old tech is still widely used, and it has no authentication.
• GPIO
  • The Flipper Zero has 18 GPiO pins, consisting or power supply and I/O pins.
  • We can connect external devices, like the WiFi Devboard, breadboards, and other geeky stuff
• MicroSD for storage
  • YOU HAVE TO HAVE AN MicroSD CARD TO USE THE FLIPPER ZERO\
  • It supports any FAT12, FAT16, FAT32, and exFAT formatted microSD cards
  • This is where all your logs, remote codes, signal databases, etc are stored.

Eager to try it out, I charged it up (the 2100 mAh battery means one month of operation without recharging!), flashed updated firmware onto it, pulled up Talking Sasquatch’s YouTube channel, and began exploring. Between the wealth of knowledge on GitHub and YouTube, and the excellent Flipper Zero documentation, learning is super easy. At some point, I’ll no doubt create more articles on walking through stuff that I am doing with the Flipper, like this, but, suffice it to say, there’s a LOT that can be done.

Within minutes, I had cloned my apartment key using the RFID capabilities of the Flipper. I was then able to clone my phone’s NFC directly onto the Flipper. I was able to map and control my television remote with the Infrared module built into the device. I plugged it into my computer and ran some demo BadUSB scripts, and then I (almost) bricked my car key fob when I tried to use the sub-GHZ frequency emitter to emulate my car keys! My nerdiness has its limits. I quickly realized I needed to back off. This is not a toy, and using it wrong can have damaging consequences, not to mention the legality aspect.

I realized that people need to be conscious and aware of what they are doing online. It is TOO EASY for someone who knows how to run scripts and flash firmware to take a device like this and steal bank account information, passwords, and other sensitive info. Let’s briefly look at two cases, captive portals and rolling codes.

Captive Portals

Using the WiFi Board, the Flipper Zero can set up a fake captive portal under an access point name of my choosing to collect passwords.

For instance, look at the Captive Portal below…

If you were to walk into Target and try to hop onto the Guest WiFi, you’d expect to see a login somewhat like this right? With the Flipper Zero, someone can set up that Evil Portal application that we were talking about earlier. They could name the Access Point (AP) “Target Guest WiFi” and then have the Flipper Zero act as a web server and serve up a static HTML file that looked identical to the portal above with text boxes for you to enter your personal login information. The only difference would be, as soon as you entered your information and clicked accept & connect, nothing would happen on the page. The unsuspecting person would probably just close out of the dialog and huff a sigh of disappointment, figuring that the network is experiencing issues.

In reality though, whoever is controlling the Flipper Zero now has access to your credentials, as your username and password were sent to a log file on the device as soon as you hit the accept & connect button. This may not be as bad if someone stole your Target information, but imagine a bad actor sitting out in their car at the bank, simulating a guest WiFi portal that needs your banking login. That’s where things begin to get really dicey.

As I said earlier, the Flipper Zero is to be a tool. I see it as an educational tool to teach myself about some of these technologies and tricks that are used. In the wrong hands though, it could pose a problem. That’s why we have to be diligent in how we interact with anything digital.

Rolling Codes.

Fiddling with network traffic isn’t the only thing this little device can do. Simulating RFID access cards, opening garage doors and gates, changing traffic lights, emulating iButton devices, etc. are all in the cards. The possibilities are endless. All that said, there are precautions in place that prevent a lot of the “easier” attempts to hack things. For example, remember how I said earlier about how I almost bricked my car key fob? That’s because the Flipper Zero can’t emulate rolling codes (unless you install and understand how to work some of the more advanced firmware programs, which probably means you’ll break something important in testing)

What are rolling codes Sam? I got you fam.

Rolling codes, also known as rolling security codes or hopping codes, are a security feature commonly used in car key fobs and garage door openers to prevent unauthorized access or hacking of the wireless communication between the key fob and the vehicle’s receiver or the garage door opener. Here’s how rolling codes work:

1. Initial Synchronization: When you first program your car key fob to work with your vehicle or garage door opener, the two devices establish a shared secret code. This code is typically a randomly generated number or a unique identifier.
2. Code Generation: Each time you press a button on your key fob to unlock or start your car or open your garage door, the key fob generates a new code based on the shared secret code. This new code is also time-dependent, so it changes over time, usually after every use or after a short period of inactivity.
3. Transmission: The key fob sends the generated code to the receiver in your car or garage door opener using radio frequency (RF) communication. The receiver is programmed to expect a specific code at a particular time.
4. Receiver Verification: When the receiver in your car or garage door opener receives the transmitted code, it checks if the received code matches the code it expects based on the shared secret code and the current time. If the received code matches, it grants access (e.g., unlocks the car or opens the garage door).
5. Code Updates: After each successful use or at regular intervals, both the key fob and the receiver update their internal codes based on a predetermined algorithm. This ensures that even if someone intercepts and records the transmitted code, it will be useless for future access attempts because the code will have changed.

So if I were to capture the IR signal being sent from the key fob, it wouldn’t necessarily match because of the algorithm on the backend. At best, I would unlock the garage door or device one time, and then my car/garage door and ACTUAL key fob would be out of sync (thus rendering the key fob useless).

So, have no fear, a Flipper Zero is not a golden key to wreak havoc on every security system in existence. That said, they have been banned on Amazon, and are becoming increasingly harder to get, so if you want to try this tech out, you may want to do so sooner rather than later.