Cyber Security and The Flipper Zero

 One feature of the Flipper Zero has gone largely unnoticed online, despite being (in my opinion) the first one with real potential for abuse. That's BadUSB. While other functionalities are certainly interesting and are fully capable of some nasty stuff in the wrong hands, few seem to lend themselves so well to malicious -- or at least invasive -- purposes. Hak5 industries released their "Rubber Ducky" some years ago. That was the first BadUSB device that came to my attention. Basically, you plug it into a computer and it runs a pre-loaded command line script. With the Flipper, you just attach it to a computer by way of a USB cable, select your script of choice, execute, and do much the same thing. So, just what can a BadUSB script do on a computer? The easier question would be "what cant it do?" Just about anything that a user can do on a computer can be executed from a BadUSB, all in a matter of seconds. I mean lightning fast. Want to make your friend's de...

 One of the more harmless but also immediately eye-catching features of the flipper is infrared transceiver. This module allows the user to send and receive light in the infrared light spectrum, the same spectrum used by TV remotes among other things. From the beginning, videos of chuckling teens muting TVs at sports bars, changing the channel in waiting rooms, and turning off the menu screens at fast food joints have been flooding the internet. So how much of this is real and how much is fiction? Well, this one is largely true, even if it's not quite as simple as the videos say. You see, in much the same way as some of the other modules I've written about can copy a code and emulate it, the infrared can do the same thing. However, unlike key cards, TVs almost universally use a set of default codes, hence the existence of universal remotes. Anyone with a Flipper can easily set it to run through these default codes to change the channel, mute, or completely turn off a TV. In may...

 Some of the first viral videos to include the Flipper Zero were of people driving by Teslas and opening the charging port. Once the Flipper had gained a bit of momentum online, more videos came out, this time unlocking doors on various cars, or even starting the car, all with the push of a few orange buttons. In response to the potential for car theft, Canada banned the sale of the Flipper outright. So, is this fact or more fiction? Well, here's where things get interesting. As usual, it's a bit of both. The videos of people popping open the charging ports of Teslas are, for the most part, completely real. Some videos of doing things like unlocking car doors are also real... sort of. You see, cars have used radio signals to remotely perform operations for some time. Your car's key fob is simply a little radio made to serve only the purpose of making your car easier to use and interact with. When you push the unlock button on your key fob, it sends out a radio signal. Your ...

 Some of the more popular demonstrations of the Flipper Zero's capabilities are of the RFID and NFC functions. Viral videos showed the Flipper instantly bypassing electronic locks on hotel rooms, homes, businesses, and even cars. Others showed it copying and emulating credit card information. These videos earned the Flipper Zero a nation-wide sales ban in Canada as well as a sales ban on Amazon.  But is there any truth to videos? It's a bit complicated. The Flipper comes with built in RFID and NFC readers, writers, and emulators. Using this function, something like a business key card can be scanned, cloned, and emulated. To the lock, there is no difference between the emulated code from the Flipper and the actual key card. It's a neat little function, but without having physical access to a card, there's not much you can do. In most of the door unlocking videos, that's all that's happening -- they've cloned a card and are emulating its signature. I said mos...

In august of 2020, an odd little device was put on the market. It was cute, white and orange, and would be more influential than anyone expected. This unassuming little handheld toy was marketed as a pen-tester's playground. For many of the real tools used by cyber security professionals, the flipper zero came equipped with a downsized (and powered) but fully functional version.  Within a few months, rumors about his device spread like wildfire all over the internet. Videos popped up showing it doing everything from opening charging ports of Teslas to cracking electronic locks with the push of a button. People would change the channels on restaurant televisions, turn their menu screens to news channels, and much more. Its sale was banned on Amazon after rumors arose that it had credit card skimming capabilities and its sale was banned entirely in Canada after videos showed it getting into locked cars.  So, what is this device really? What can it do and what can't it do? Which ...