Pen Testing with the Fliper Part 1: RFID/NFC Cloning

-

The Flipper is marketed as a pen testers playground, but I have yet to address pen testing at all. Now's the time for that.If you haven't read the previous post about RFID, now would be a good time. If you have read that post, you'll know that the Flipper has no chance of getting into much of anything unless it first clones the real key. That's a problem, since people don't typically hand out their key cards fr you to clone just because you say "pretty please." Or do they?

I've said it before and I'll say it again, the one consistent weak link in any system is its users. Here's how it might go down in a pen test. You've already cleared everything with the company, you have all your tools, and now its time to get inside the building. Now, a real pen tester would have the real tools, not a toy multi-tool, but lets assume the Flipper is all you've got. You need to physically hold a card to the back of the Flipper for the few seconds needed to clone it. How in the world are you supposed to do that?

Easy (sort of). You put on a reflective vest or blue overalls, depending on the company, wear a lanyard with your face on it (but preferably not your real name), find someone on their way to work who looks gullible and ask to see their security key. Give some excuse about a system error, how you need to make sure their key works or reprogram it, something like that. If you play your cards right and look like you know what you're doing, they'll often give it to you. Scan and save the key card, tell the employee they're good to go, and that's that. Of course, there's always the chance that you'll be caught immediately, but the fun part about contracting with a company is that you don't go to jail if you get caught. Fun stuff.

The Flipper can take it from there. Put it up to the scanner, emulate, and the lock will open right up. Better yet, have some blank key cards with you, maybe with "maintenance" or "security" written on the side if you really want to be fancy, and write code to your card.

That's really all there is to the first step. I'm sure a lot of people would be disappointed to learn that you cant just push a button and open a door like magic, but I'd prefer and interesting reality to a wonderful fantasy any day. 

 More pen testing posts to come.

Comments

Post a Comment

Popular posts from this blog

Introduction: The Flipper Zero

-
In august of 2020, an odd little device was put on the market. It was cute, white and orange, and would be more influential than anyone expected. This unassuming little handheld toy was marketed as a pen-tester's playground. For many of the real tools used by cyber security professionals, the flipper zero came equipped with a downsized (and powered) but fully functional version.  Within a few months, rumors about his device spread like wildfire all over the internet. Videos popped up showing it doing everything from opening charging ports of Teslas to cracking electronic locks with the push of a button. People would change the channels on restaurant televisions, turn their menu screens to news channels, and much more. Its sale was banned on Amazon after rumors arose that it had credit card skimming capabilities and its sale was banned entirely in Canada after videos showed it getting into locked cars.  So, what is this device really? What can it do and what can't it do? Which ...
Read more

RFID and NFC: The Key Issue

-
 Some of the more popular demonstrations of the Flipper Zero's capabilities are of the RFID and NFC functions. Viral videos showed the Flipper instantly bypassing electronic locks on hotel rooms, homes, businesses, and even cars. Others showed it copying and emulating credit card information. These videos earned the Flipper Zero a nation-wide sales ban in Canada as well as a sales ban on Amazon.  But is there any truth to videos? It's a bit complicated. The Flipper comes with built in RFID and NFC readers, writers, and emulators. Using this function, something like a business key card can be scanned, cloned, and emulated. To the lock, there is no difference between the emulated code from the Flipper and the actual key card. It's a neat little function, but without having physical access to a card, there's not much you can do. In most of the door unlocking videos, that's all that's happening -- they've cloned a card and are emulating its signature. I said mos...
Read more

Sub 1-GHz: The Key Fob

-
 Some of the first viral videos to include the Flipper Zero were of people driving by Teslas and opening the charging port. Once the Flipper had gained a bit of momentum online, more videos came out, this time unlocking doors on various cars, or even starting the car, all with the push of a few orange buttons. In response to the potential for car theft, Canada banned the sale of the Flipper outright. So, is this fact or more fiction? Well, here's where things get interesting. As usual, it's a bit of both. The videos of people popping open the charging ports of Teslas are, for the most part, completely real. Some videos of doing things like unlocking car doors are also real... sort of. You see, cars have used radio signals to remotely perform operations for some time. Your car's key fob is simply a little radio made to serve only the purpose of making your car easier to use and interact with. When you push the unlock button on your key fob, it sends out a radio signal. Your ...
Read more