Trying Out Flipper Zero

200 points by tudorconstantin 2 years ago | 98 comments
  • sschueller 2 years ago
    People and companies that are attacking the device because it makes unlocking certain things easy should realize that the issues is not the device but the antiquated vehicles/door locking system that basically uses obscurity for it's security.

    If you can unlock your car with the flipper zero you can also do it with a ~100 USD SDR and an old laptop.

    • bmitc 2 years ago
      Do those arguments really hold up though? I get that these devices are sort of the “messenger” in “don’t shoot the messenger”, but still. Security is about appropriate security. A general teenager or thief wanting to cause issues would not know what to do with an SDR and laptop, versus something like the Flipper making it point and click. So now that something is made so readily available, we need to increase the cost and complexity of various locks?

      I’m not arguing for or against anything here, but what I am arguing is that the discussion seems more nuanced.

      Is there an easy solution to improve locks on cars?

      • theshrike79 2 years ago
        There are a bunch of semi-easy tools for lockpicking too and a good percentage of American locks are reeeally bad at thwarting even a novice picker. In worst cases you just need a flat piece of metal.

        Too many fancy electronic locks can be bypassed with a single magnet placed correctly.

        https://www.youtube.com/@lockpickinglawyer

        These devices are the electronic equivalent of a lock-pick. They still need skill and intent to use, by itself they shouldn't be illegal. They should motivate companies to make proper security measures.

        You can grab a $10 ESP32 and a battery pack, load some ready-made software on it and flood everything in a 50 meter radius with so many fake Wifi-APs most devices will go offline. Or you can deauth every wireless device within range.

        The tech is available and doesn't require much skill to use.

        • weinzierl 2 years ago
          Exactly, and in regard to the parent comment mentioning teenagers: They are exactly the group that needs the Flipper least because they have might not have money but they often have plenty of time.

          If anything the Flipper helps to spread the knowledge where the frontier of practical feasibility is to a wider demographic. This demarcation line is far from trivial but the world would be a better place if all of us knew more about what they should be afraid of and where they can chill.

        • windexh8er 2 years ago
          > A general teenager or thief wanting to cause issues would not know what to do with an SDR and laptop, versus something like the Flipper making it point and click.

          This is where the story falls apart. I own both a HackRF One and a Flipper. I thought it would be a great teaching tool for my kids to show them physical world insecurities. While it's a great device it's nowhere near as potent as the HackRF as a real tool. And straight out of the box the Flipper does very little from a nefarious point of view.

          The "influencers" did a great job of hyping it up on YouTube and Twitter. And my guess is that the majority of the devices sold will be used to pop Tesla charge port doors for giggles. I've gone through a few different firmware and repos and you've got to have just as much interest to learn and use compared with an SDR. And in fact in many cases the Flipper is harder to use because it's limited by its physical footprint.

          It's a fun little tool but it's not making much "point and click" besides a handful of known replay attacks that shouldn't have existed in the first place. If anything I hope the Flipper pushes the likes of physical access systems manufacturers / integrators to be questioned on why their systems fail to authorize access correctly against trivial attacks. This is not the fault of tools like Flipper.

          • bmitc 2 years ago
            > If anything I hope the Flipper pushes the likes of physical access systems manufacturers / integrators to be questioned on why their systems fail to authorize access correctly against trivial attacks.

            That's a good point on it moving the needle where there's reason and capability to.

          • uconnectlol 2 years ago
            Yes it holds up. Those poor billion dollar companies selling stuff with critical flaws should have been fined many decades ago (all the issues talked about in this tweet are literally 20 years old, I can probably go find a Defcon video from 20 years ago where they exploit the same bugs on the top 5 vehicle vendors).

            > A general teenager or thief wanting to cause issues would not know what to do with an SDR and laptop, versus something like the Flipper making it point and click

            This is just your imagination. Flipper is barely less obscure than running some scripts on a Linux laptop, both of which general teens can do.

            • sschueller 2 years ago
              Many solution exist (rolling codes, encryption, tight timing etc.) that make it difficult to open a vehicle quickly. The main issue is that there are still cars being sold which might as well have no locks at all.
              • adolph 2 years ago
                No locks means people are less likely to break the windows and leave a mess or get injured themselves.
              • nextlevelwizard 2 years ago
                Your average teenager or thief won't know how to pick a lock either, yet everyone installs pick resistant locks instead of cheaper alternatives.

                Yes. Your security might have been good enough, but world moves on. Back in the day Triple DES was good enough, but you are very irresponsible if you use it today.

                I get that whenever you are looking anything from inside the industry there is constant need to make processes faster and cheaper. I am sure all car manufacturers would immediately remove seat belts and air bags if they could. However is maximizing profit really what society needs? I think we should have more laws and regulations around product security. *All* products should meet some minimum security standard, but until we have some governing body that can enforce this we will from time to time run into issues like with this device where the large company is decade or more behind the world due to neglecting R&D and now they don't want to pay for their mistakes.

                • D13Fd 2 years ago
                  > everyone installs pick resistant locks instead of cheaper alternatives.

                  What geographic area? In the northeast US I've noticed that the cheap, easy to pick locks seem to dominate.

                • nix23 2 years ago
                  >Is there an easy solution to improve locks on cars?

                  Public/Private Keys? You know a secure protocol like SSH?

                  • out_of_protocol 2 years ago
                    or even simple HMAC if you want to go low-power and brain-dead
                    • weinzierl 2 years ago
                      Doesn't help against a common attack possible for all reasonably modern luxury cars (which happen also to be the most interesting targets).

                      For these cars it's enough that the key is near and it is considered a feature that no user interaction (like pressing a button on the keyfob) is required. This can be exploited by relaying the signal from the original key to an attacker who is near the car. Cryptography alone cannot protect against this attack scenario (which is called a "relay attack", not to be confused with a "replay attack").

                    • m-p-3 2 years ago
                      > Is there an easy solution to improve locks on cars?

                      Expose their flaws and let the manufacturers properly mitigate their creation.

                      • criddell 2 years ago
                        > Is there an easy solution to improve locks on cars?

                        Turn off keyless entry and use the mechanical key.

                        • waste_monk 2 years ago
                          The challenge/response mechanism still occurs when using the key. Try opening most cars with a dead keyfob battery - on pretty much any recent car I've seen doing so triggers the alarms and turning the key in the ignition will not disarm the immobiliser.
                      • YetAnotherNick 2 years ago
                        All the car locks can be opened by force using hammer, and in theory it should be equally illegal to force open as to use flipper. But in practice it gives plausible deniability if say a kid could use a toy like thing with some script downloaded from internet versus a guy breaking car window. Flipper kind of looks like a learning tool used for hacking, while SDR method seems like hacking tool that could be used for learning.

                        I wouldn't want flipper to be discontinued or anything but script kiddos are real.

                        • neilv 2 years ago
                          Going with the children's toy theme... Has anyone 3D-printed alternative plastic for the Flipper Zero, to make the buttons be a mix of colors, and rounded like Fisher Price?

                          Edit: Flipper Price, as it were.

                          • 2 years ago
                          • uconnectlol 2 years ago
                            [flagged]
                            • z3c0 2 years ago
                              A bit aggressively stated, but I agree with your overall point. Every few years, a piece of tech comes along and clobbers older tech. This is how security improves.

                              Also, in the write context, it is already illegal to send raw TCP packets. Laws around port scanning are pretty ambiguously defined, and inconsistent across states. While generally harmless, a poorly placed SYN can get you in some serious trouble.

                          • luch 2 years ago
                            Honestly it's a bit of both in this situation : they are good RF protocols that are secure enough (e.g. Calypso has not been broken yet) but they are not used by vendors since the insecure version is "good enough". Now that Flipper Zero exists, they have to adapt.

                            However, there is an ongoing discussion about offensive security tools such as Flipper Zero, IMSI-catchers, phishing frameworks, meterpreter lookalikes, etc. and their consequences on the overall security landscape. It used to be that tools were just tools, but now legislators and the general public ask for more responsibility from tools vendors. For example publishing a complete n-day exploit for a major vulnerability (windows/Linux RCE, O365 RCE, etc.) is becoming more and more frown upon since it primarily enables attackers.

                            • nibbleshifter 2 years ago
                              That "ongoing discussion" is largely a small group of extremely loud people in the defensive tooling space who keep getting clowned on that their expensive products don't work.

                              While the offensive side keeps innovating and improving, defense seems to have stopped bothering and instead is resorting to twitter trolling, pissing, and moaning.

                              • nine_k 2 years ago
                                Responsible disclosure exists for serious exploits, and it sort of works.

                                Auto makers had ample time to learn that their current radio-operated locks are insecure by design. They had years while everybody even slightly interested knew e.g. how a replay attack can be done. Did they need any more responsible disclosure time in order to act?

                                BTW there's no need to radically invent anything in that space; say, SSH offers a working example of a tamper-proof, eavesdropping-proof establishment of a secure connection (after a secure initial pairing, expected between a key and the car anyway).

                                • weinzierl 2 years ago
                                  Opening (and mobilising) a car is a vastly different scenario from opening an SSH session and your typical Mercedes or BMW driver is not your average SSH user. Customers want their cars to unlock on approach and they've become used to it. They expect the trunk to open when they swipe their foot under the tail bumper while they are holding their groceries in both hands. Keyless entry systems are useful and the most important target group of buyers of cars that are worth stealing is accustomed to them.

                                  Keyless is not going anywhere and you need more than an SSH-like protocol to protect it.

                            • beardedwizard 2 years ago
                              I have never seen a tool that really does so little out of the box (notice most people only talk about cloning IR remotes) be worried over so much. SDR, key relay and other radio based attacks were happening before flipper and will continue.

                              Anyone who wants to do real harm with flipper will have to learn a lot, and when they do flipper won't be the tool they stick with. It is limited compared to something like hackrf.

                              Criminals can buy all kinds of turnkey kits to do crime, flipper isn't one of them.

                              • uconnectlol 2 years ago
                                > people will write that the Flipper can't be used for jamming. I've bad news. I will not explain what I did, but I tried to implement an attack to prevent my key from opening my car and I successfully had this jammer working at quite a distance (10 meters). That's not good, and script kiddies should be away from this techniques.

                                What's not good is that tons of tech now relies on radio garbage for no reason, especially car keys.

                                • michaelmior 2 years ago
                                  > tons of tech now relies on radio garbage for no reason, especially car keys.

                                  I'm curious what you mean by "radio garbage" and "for no reason."

                                  • uconnectlol 2 years ago
                                    For instance, car keys.
                                    • ramesh31 2 years ago
                                      >For instance, car keys.

                                      Have you ever owned a push button start vehicle? It is a strictly superior UX.

                                      • michaelmior 2 years ago
                                        I'm confused about the "for no reason" part then. I get a lot of value from not having to physically approach my car and use a key to unlock or start it.
                                  • mikeiz404 2 years ago
                                    • z3c0 2 years ago
                                      Very useful service, thank you. I try not to harbor negative feelings for something as harmless as a writing format, but I can't help but to feel a glimmer of annoyance every time I see one of these Twitter blog posts.
                                    • weinzierl 2 years ago
                                      This is a brilliant wrap up, but the real gem is the accompanying app ProtoView.

                                      > "The secondary goal of ProtoView is to provide a somewhat-documented application for the Flipper [...] ."

                                      Having a well-documented, not too complicated and somewhat canonical beginner application is so important.

                                      • po1nter 2 years ago
                                        > the Flipper is an awesome device. I'm kinda sad to understand that its successor is Linux based

                                        Anyone know where can I find more info on this "successor" I tried googling with no luck.

                                      • neilv 2 years ago
                                        Are any more Flipper Zero units coming into the US?

                                        I heard that a shipment was seized a couple months ago, maybe due to national sanctions.

                                        (I have a Flipper Zero, but no time to play with it. Wondering whether I should sell it, or hold onto it because I won't be able to re-obtain one later.)

                                        • garren 2 years ago
                                          Mine was held up by the seizure. I got an email about it, but they were able get it out a month or so later. They were able to work around it, but I don’t recall the details. I think they had a blog post about it.
                                          • gadders 2 years ago
                                            Probably being overly cynical, but I wonder if some of those flippers were back-doored by NSA or similar like they did to TVs.
                                            • neilv 2 years ago
                                              No more ridiculous a theory would be that Russian hackers found a way to get many thousands of other hackers around the world to plug in BADUSB/trojan devices. And to also fund their own compromise. :)

                                              (No offense to our Flipper-creating friends. I suspect many hackers can appreciate the interesting and humorous human dynamics that are sometimes at play.)

                                            • windexh8er 2 years ago
                                              I purchased two of them, recently. I bought one in December from an authorized reseller and received it within 2 weeks. Ordered another one direct from the official Flipper website in late December as a gift and received that one within 1 week. They're easy to get at this point.
                                              • comfypotato 2 years ago
                                                Mine was too. The seizure had more to do with the war (as the devices come from Russia and are explicitly labeled for hacking) - my package got to me fine, looks like it wasn’t tampered with or anything. I think business is as usual for the Flipper folks.
                                                • weinzierl 2 years ago
                                                  I thought they were shipped directly from China? On their shipping page they reported issues shipping to Belarus which would be unusual if they'd ship from Russia. If anything I'd expected issues with payment but I've never heard that to be the case.
                                            • smcl 2 years ago
                                              Hey @antirez, if you're in the comments here I have a little question. I see someone asked about availability, since it's currently Sold Out. How often did you hit the Store before a unit was available? And was it a really narrow window of availablility? I'm wondering if I should write a little script that'll fetch the page, check availability and send me a notification or whether I should just remember to check the page myself every couple of days.
                                              • antirez 2 years ago
                                                Hi! My purchase story was atypical: I saw the device, hit the official store, saw it available and just got it. Then I discovered I casually clicked in the exact right moment... No idea about their supply chain.
                                                • buro9 2 years ago
                                                  I got one just before Christmas (in the UK), also saw it available and just bought it.

                                                  Then it went out of stock.

                                                  I shared the capabilities and a test program with a colleague (in the USA) who went onto the site and it was available again. They have one too now.

                                                  They really do seem to be adding stock as and when they receive it, so just make a bookmark and check back daily.

                                                  • 4286796215 2 years ago
                                                    Same for me, I got mine end of December as well and only learned they were supposedly hard to get when researching custom firmware. I waited maybe three weeks, two of which it spend in customs.
                                                    • smcl 2 years ago
                                                      Ahh, interesting thanks! To be honest it's not much effort to write what I described, so I'll just dive in and set that up.
                                                      • rcarmo 2 years ago
                                                        Yeah, I noticed it being available for a day or so a while back, but didn't click... :)
                                                        • smcl 2 years ago
                                                          Sounds like we just need to check every day or so. Fingers crossed you manage to get one!
                                                      • bru 2 years ago
                                                        There's new units on sale every week. Alternatively, buy a second-hand one.
                                                      • fortran77 2 years ago
                                                        Tee product quality of the Flipper Zero, including the packaging and the unboxing experience, is incredible. I just got mine a couple of weeks ago and have used it every day. I've done things ranging from analyzing and emulating at the hotel keys at the NY hotel I stayed in the week of the 19th, to turning off the TV sets in the airport lounge on the way back home.
                                                      • cactusplant7374 2 years ago
                                                        The biggest issue is it’s not an SDR. So reverse engineering protocols will be much harder. At least that’s my understanding. Still, I have really enjoyed using it. UX is great as he says.
                                                        • karim79 2 years ago
                                                          I picked up two of these bad boys. It literally took minutes to turn it into a universal remote for everything in my flat, from TV to air filter and everything in between. I love the form factor as well as the interface. I haven't yet had time to delve into the more advanced use-cases, but indeed, it is impressive for what it can do out of the box.
                                                          • ahub 2 years ago
                                                            Honestly, this devices just misses a speaker and a microphone. It would make for the best phone ever.
                                                            • mjsir911 2 years ago
                                                              The flipper zero does have a (pcm?) speaker! It comes with a music player by default with the marble machine sample notes.
                                                              • nine_k 2 years ago
                                                                But does it not have a BT radio to connect a hands-free set?

                                                                It might need a phonebook app though :)

                                                              • orthecreedence 2 years ago
                                                                Gosh, you can tell he really hates the Flipper.
                                                                • cactusplant7374 2 years ago
                                                                  I’ve seen him on the Discord server for Unleashed firmware. I don’t think he hates it?
                                                                  • antirez 2 years ago
                                                                    Maybe the commenter was just sarcastic? My 10yo daughter always tells me: when you like something, you remark it so much, dad. I just think it is important to celebrate other people accomplishments: it has good effects on the world.
                                                                    • cactusplant7374 2 years ago
                                                                      Ah yeah, probably. Misread it. I didn’t sleep that well. :)
                                                                  • rexreed 2 years ago
                                                                    This from a fellow who posts on Twitter using his Mastodon Social account handle. I don't get the point.
                                                                  • aaron695 2 years ago
                                                                    > I tried to implement an attack to prevent my key from opening my car and I successfully had this jammer working at quite a distance (10 meters)

                                                                    Jamming codes - https://github.com/RocketGod-git/Flipper_Zero/tree/main/subg...

                                                                    Demo here - https://www.youtube.com/watch?v=Vls4FHw_0AE

                                                                    • molten_roll 2 years ago
                                                                      [flagged]
                                                                    • bastard_op 2 years ago
                                                                      [flagged]
                                                                      • rasz 2 years ago
                                                                        By buying Flipper Zero you are sending money to russia, indirectly funding terrorist invasion of Ukraine. :/
                                                                        • buffington 2 years ago
                                                                          During the American invasion of Afghanistan and Iraq, I was a founder of an American company. Using your logic, you could say I indirectly funded the invasion of those countries, since international customers were sending my company money.

                                                                          What sort of terrorist invasions have you indirectly funded?

                                                                          • f311a 2 years ago
                                                                            FYI, their CEO is Ukrainian
                                                                          • baybal2 2 years ago
                                                                            [dead]