06/03/2020

Flipper Zero - Tamagochi For Hackers

Flipper Zero - Tamagochi For Hackers Techblog

What's the Flipper Zero about?

Flipper is a small multi-tool for pentesters that fits in every pocket. It is inspired by the pwnagotchi project. The core idea behind Flipper is to combine all hardware tools needed for pentesting in a portable device.

In addition to that, Flipper also turns hacking into a game by showing the curious personality of a cyber dolphin. It loves to hack things like access control systems, radio protocols and more.

Pavel Zhovner is crowdfunding the Flipper via kickstarter. The campaign was expected to start in May, but got postphoned to June due to Covid-19 delivery issues. In an email, he told us that the first 1000 pieces ordered will have a maximum discount. If you want to stay updated, you can enter the mailing list at the end of this page.

To get a better view of the project, check out the 433 MHz sniffer functionality below!

Flipper Zero's features

The following 7 points show Flipper Zero's features.

433/868 MHz Transceiver

A large class of access control systems and devices are using this range for operation. Garage door remotes, remote keyless systems and IoT sensors are just a few. Flipper's transceiver is capable of up to 100 meters range, which is quite a lot. This means that during a pentest, the pentester doesn't necessarily need to be close to the objective. Hiding behind a car nearby could be enough. So while an employee turns down the climate device remotely out of comfort, the pentester could have recorded this command and now has the possibility to replay it during another time of choice.

Flipper Zero comes with decoding functionality for popular algorithms like keeloq, doorhan, came and more. This makes it possible to find out more about an unknown protocol.

A fun addition is that the tamagochi part of Flipper can make new friends by finding other Flippers out there, using the 433 MHz range.

125kHz RFID

Low-frequency cards are mostly built into older access control systems. The authentication can easily be read and copied. Flipper contains a 125 kHz antenna which can be used for EM-4100 and HID Prox cards. Gaining access to such systems is usually done with a keycard copier. With Flipper, this attack method is just one of several.

Flipper owners can even exchange card dumps remotely. This might become handy during a pentest of more than one person.

Infrared transceiver

TV's, air conditioners and stereo systems typically contain infrared receivers. Their infrared transmitter counterpart can be used to send commands, like turning on the TV.

The learning feature of Flipper's infrared transceiver receives signals and saves them to the library. Those signals can later be replayed and/or shared with the Flipper community.

Arduino compatibility

Flipper's functionality can be enhanced using your own programming skills. Your code can use all built-in hardware available. The code can be run as seperate plugin. This means that you can store your code on Flipper and run it, while using the original Flipper firmware. This eliminates the need to upload code repeatedly, like with basic Arduino boards.

Hardware hacking

Flipper can be connected to any hardware-piece that uses GPIO. This makes it possible to be used as hardware hacking, firmware flashing, debugging and fuzzing tool.

Bad USB

Flipper is capable of emulating a USB device and posing as regular input device, like a keyboard. You surely have heard of USB rubber duckies, which are known to use this attack vector.

So by posing as a keyboard, it's allowed to do what a keyboard is - typing. Once plugged in, the stored payload is typed at high speed. An example payload of this attack is the opening of a powershell window and typing a command that downloads and executes a malicious file. Additionally, Flipper is capable of fuzzing USB on the target device.

Note: As this attack vector is known for several years now, we've created a free keyboard guard for everyone to use.

iButton

Flipper Zero contains a built-in iButton reader/writer. The iButton technology works with the quite old 1-wire protocol, which has no authentication. This gives the reader an easy job to accomplish. After the ID has been saved, the writer can write the ID to a blank key. This isn't necessary though, as the Flipper can even emulate the key itself.

Flipper Zero vs. Flipper One

The Flipper Zero is a lightweight and compact version built on the STM32 microcontroller. It's able to work with basic remotes, radios and access control systems. The functionality can be expanded with programs.

The Flipper One is an advanced version with all the functions of Flipper Zero plus a seperate ARM computer running Kali Linux. This tool can be seen as a more serious tool for pentesting access control systems and networks.

How the Flipper Zero project started

Pavel Zhovner's history contains experiments with DIY hacking tools that were functional but not beautiful. He noticed that many tools he needed just weren't available. After discovering the pwnagotchi, he walked through the streets for several days in a row because he liked it so much. He realized that he wanted a device that delivers joy in tamagochi style, aesthetics of a retro game console and enough evil to hack everything around.

His friends suggested him to make a fully-fledged device with real factory production vs. yet another homebrewed DIY craft.

He documented all of this at his blog

Flipper Zero's inventor - Pavel Zhovner

Pavel Zhovner lives in Moscow and is responsible for the local hackspace Neuron. Since his childhood, he loves to explore things around nature, technology and humans. His main focus is on networks, hardware and security though.

He tries to not use the word "Hacker". Instead, he prefers to call himself "Nerd". According to him, it's more honest. In life, he values excited people who are emotionally strong involved into things they like.

Flipper Zero is his try to make something really cool, massive and at the same time beautiful. He believes in open source software, hence the project will be completely open. He has a small team, but hopes to reach more people that would like to join the project.

Social links

If you want to stay updated about it security, be sure to follow these accounts:

RansomBleed - Personal Twitter account from Ransombleed.

G DATA CyberDefense – G DATA CyberDefense Twitter account.