Federal agencies and businesses face growing exposure to wireless threats as modern devices introduce new cybersecurity attack vectors that traditional security tools cannot detect or control. To mitigate consumer and enterprise risks associated with IoT devices in no-phone zones, Bastille Networks’ wireless intrusion detection system identifies and quarantines unauthorized emitters and behavioral abnormalities before data breaches can occur. Explore real-world examples of how Bastille’s IoT security solution proactively defends mission-critical environments from covert emissions, unapproved device behavior and Wi-Fi deauthentication attacks.
Intro
Welcome back to Carahcast, the podcast from Carahsoft, the trusted government IT solutions provider. Subscribe to get the latest technology updates in the public sector. I'm Anthony Jimenez, your host from the Carahsoft production team.
On behalf of Bastille Networks, we would like to welcome you to today's podcast. Adrian Sanabria and John Bundy continue the wireless threat series by exploring the Flipper Zero, a popular wireless security testing device. They highlight its user-friendly design and demonstrate capabilities like sub-gigahertz signal capture, RFID, and NFC, Bluetooth, and infrared control.
We address misconceptions like car theft myths and discuss risks like Bluetooth spam. While effective as an affordable education tool, we'll discuss its limitations compared to professional equipment.
Adrian Sanabria
Welcome back to the wireless threat podcast series sponsored by Bastille Networks. I'm Adrian Sanabria and joining me is John Bundy. In this podcast series, we explore a new class of device or threat in each episode.
We help you understand the threat, walk through some real life scenarios, and even do the occasional live demo, which I believe we will be attempting today. So wish us luck. Ultimately, the goal is to answer the question, should you be worried about this?
This week, we're discussing the Flipper Zero. Let's get started. I am one of many people that I think kickstarted this thing and patiently waited, and it's been a fun toy, but everyone else who owns one and uses one, I think we all kind of rolled our eyes when we saw a bunch of drama pop up in the news about it.
People getting their devices seized when they're going through customs or going through TSA, entire countries or states or events trying to ban them. For me, John, I think the thing that sets this apart from most of the other like hacking devices we've seen is you need to understand Linux. Typically with these devices, there's a pretty high bar in terms of technical proficiency.
Whereas this one, everything is so polished. The app on your phone is polished. There's an app you can put on your desktop that's really polished.
What did you think of it when it first came out?
Jon Bundy
It's pretty interesting, isn't it? You're right. A lot of the kind of hacker tools have been a lot of do it yourself with sketchy guides or incomplete guides.
And often you end up with something like this. This is a Ponagotchi that's not on, that does wireless deauthentication attacks. And even now when I want to run it, I'm like, well, which command do I use to get it to not be obnoxious and kick everyone off or if I just want to do some testing, you know, it's just not a good interface.
So yeah, the Kickstarter for this, they came out and they said they wanted to make something easy to use, open source, community driven, and I think they were successful, right? You can update it from a web page. And then people are releasing apps for it because it's open source and you get all these cool new capabilities added all the time and games and stuff.
It's a great tool for education.
Adrian Sanabria
And I think again, for those of us who have professionally done offensive work, like we have just for doing wireless assessments, like the adapter you might use costs as much as this whole thing, right? And you're going to plug it into a laptop or you're going to have some kind of purpose built handheld device just for that. Whereas this is kind of like an all-in-one, even has this I button thing, which we were talking about the other day, and I've never seen a device that uses this, but it included it.
But the point being that this is, it's a very compromised device. You wouldn't use this in a professional assessment. Let's go through what this thing can actually do.
Let's go over the wireless bill of materials.
Jon Bundy
So we've got Bluetooth low energy. I don't believe it has Bluetooth classic. So that allows a lot of modern hardware and spamming attacks.
There's a Texas Instruments CC1101, which has been a very popular sub gigahertz radio for receiving and transmitting. So in those open frequency bands and the 300 and 900 megahertz that you're legally allowed to use for the ISM bands are called industrial scientific and medical bands. There's a lot of devices that use those key fobs, a lot of ceiling fans, garage door openers, cheaper consumer wireless devices with buttons tend to be in those ranges.
There's the 125 kilohertz RFID and the 13.56 megahertz NFC near field communication.
Adrian Sanabria
So it's 200 bucks. It's a pretty good deal for everything it does. And for the fact that it's super polished and you can see some of the options here, there's the wifi dev board that plugs into the top using those pins.
So does the video game module, which gives it an HDMI out. So you can get this tiny monochrome screen on your 4k 80 inch, whatever, and you can count the pixels on it. It encourages you to build and explore with it.
Jon Bundy
Every capability that has, you can do with other tools that are probably better at it. Right. Yeah.
Because of the size, there's really no intended to speak of. So the ranges are usually pretty short. The one thing I found that it does do really well, better than any other tool I've used is the sub gigahertz frequency capture and replay.
They've made it so easy to just find a frequency, capture it. You can see it being captured and then replay it. In some cases, it'll even decode it for you and, and allow you to just create your own command from that.
It doesn't have wifi on it. So you're going to either get that wifi board, which is limited to 2.4 gigahertz, or you're going to use a better wifi adapter and a computer.
Adrian Sanabria
I have used it to troubleshoot some things. We had some lights that were built into some entertainment centers and they kept turning on. And we were trying to figure out why every time somebody walked upstairs, they'd turn on all by themselves.
So we were able to use this to hone in on what frequency it was using.
Jon Bundy
I'm amazed. I tested it out yesterday with my highlights here. I'm a ceiling fan and I didn't know what frequency it's on.
Usually you either look at the back of your device and there's an FCC ID and you find out what frequencies it uses and like, okay, finally you get near, near there. But then you have to find it. With the Flipper, I just had it scan.
I hit the button and it's like 303.9 is your frequency. Oh, cool. I was able to capture it and replay it, you know, within a minute.
Adrian Sanabria
One of the nice things about this is it demos really well. You can just plug it into a computer and you can get the screen here displayed on the computer or on your phone, which I think is what you've done here.
Jon Bundy
You know, I got this desktop app. It's called Q Flipper and can pull the latest official release. You can install from a file.
It's got all the information about I'm running Momentum and it mimics the UI. So what you're seeing there is the same thing you'd be seeing on the screen reversed, but this allows you to demo it because these are meant for education. You can show concepts without big stakes, right?
So what can we do? You can see on the top, there's a list of apps. We talked about custom firmwares.
This is where all of your weird apps go. Like you found the Bluetooth spam that you're talking about earlier. That's it.
Just all these hacks. Here's the crash. Here's a nearby action.
Here's a nearby device preparing. There's this sub gigahertz menu here. And like I said, it's got read, read raw.
It's got a frequency scan. It lets you find the right frequency. I've got it here saved.
I just called it office light and I can emulate it. And it shows you it actually decoded it. It knew the encoding scheme and it said, oh, here's actually the bits that were sent.
Like I don't know the protocol well enough to tell you what those mean, but rather than send the raw capture over and over, it's like, oh, I actually know how to recreate the waveform now because I'll do it. And so I'll get a nice clean waveform. Like when you capture, you might get a little bit of noise in there.
And sometimes it works and you have to hit the button again because it didn't work. This will make sure that it generates a clean sample. So the lights just above my head there.
If I hit the circle, the middle button to send it, you might see light change. So there it goes. Yep.
There it is. And I can hit it again. Off it goes.
So it was, it was as easy as taking this remote, holding it next to there, hitting a button while I was finding the frequency and then going to read it. Let's try the raw because I haven't done that for a while and it's already on the right frequency. That's good.
So if I hit the little middle button again to record, it's recording and hold this up and I'll hit the button. Yeah, there it is. Let go of the button and it goes off.
Not holding it. And this actually dims it and it'll make it brighter. So it's just continuous transmitting and it's just picking these up.
It's really neat because you can, you have visual proof right there that you're capturing something. You just hit the button. If I hold it and you see all these different.
Adrian Sanabria
And we can even see that count down in the corner of how many that you've collected. I can hit stop. Yeah.
You can save it, rename it.
Jon Bundy
Rename it. So that's what I did before. And it's just capturing those and decoding it to those bytes.
So super cool.
Adrian Sanabria
Yeah.
Jon Bundy
So now let's like the sub gigahertz capture, capture your ceiling fans and your common home equipment stuff.
Adrian Sanabria
I do want to mention, I think one thing we left out is the USB functionality of it. So this thing can emulate a mouse, a keyboard. It can do some bad USB stuff.
You can plug this into a computer. I think it can do some rubber ducky. Has some rubber ducky type functionality where you can have a script and have it emulate a bunch of keystrokes show up as a keyboard.
So it's not all wireless stuff.
Jon Bundy
You mentioned death. And that is one of the capabilities that is natively lacking. But you also mentioned that wifi card.
I 3d printed a case for mine. Oh, you've got the wifi add-on. Yeah.
Wifi dev board. There was a shortage of these for a while when everybody was really, it's so popular. But this does do deauthentication attacks, which we've talked about in previous episodes.
On the 2.4 gigahertz wifi band, it can send out messages telling all the clients to get off the network. And they'll get off the network if they're not using protected management frames.
Adrian Sanabria
2.4 seems pretty limiting. But again, if we're going to tie this back to enterprise threats, a lot of your IoT, industrial IoT stuff is likely only using 2.4 because it doesn't need a lot of bandwidth. But it does need a strong signal that travels well, which is the downside of 5 gigahertz is that you don't get as much distance with it, but you do get more bandwidth.
Jon Bundy
Yeah, exactly right. So very good at that. But like we said, the range on the NFC and RFID, very low.
So it's hard to clone badges. For the MiFair Classic, it can decrypt those and emulate them, I believe. But the range is just so bad where the Proxmark, you've got a lot of range antennas.
You can use other antennas. That's modular. Yeah, you can add to it.
The BLE, again, because there's no antenna, it's gonna be a little less limited where you can buy a BLE adapter with an antenna and get 100, 300 feet easily. You know, there's all sorts of rubber ducky attacks. Some are a little more discreet than walking around with a white and orange flipper and trying to plug it into a computer, right?
There's a lot that are disguised as flash drives or like a USB accessory, like a fan or a light that you'd plug in. You know, you can embed them in those. Those are more likely to be used in actual exploitation.
So about two or three years ago, at DEF CON, there was this BLE spam attack release on Apple device, you might remember it, where it would cause pop-ups. And so what this was, was the vendors. So Apple, Google, Samsung, Microsoft, all do this now.
In order to make it easier for people to pair Bluetooth devices, that's always been a challenge, right? Going back is you got to put it in pairing mode. Then you got to go over here.
You got to enter some digits. You got over here, hit yes or no. They always try to make that easier.
And the easier you make it, the less security you usually have. So one of the latest approaches that was used is this idea of proximity pairing or proximity actions. What that is, is if you get close enough to a Bluetooth peripheral, your phone would realize, based on the signal strength, that, hey, this device is pretty close.
I should alert the user that this device is nearby and you can interact with it. You could pair to it. So that's like the fast pairing sort of concept.
Or you might configure it if it's an Apple TV or some new device. So a nearby action might pop up. And so the idea of the spam is you just take those messages, which are on encrypted Bluetooth low-energy advertisements, and you just duplicate them.
And then you change a little bit about it and transmit it again. And each time you transmit, it's like a new device just showed up. And your phone is just showing pop-up after pop-up after pop-up.
And so it's annoying, a little hard to use your phone. But in addition to that, they did find a vulnerability in one of the protocols that did cause a crash back in iOS, I think 1712.
Adrian Sanabria
Which, of course, if you're at a conference in a room where there's 200 iPhones, you can really, it goes from annoyance to really causing some havoc. It's alarming if you see a room full of iPhones suddenly rebooting themselves.
Jon Bundy
Yeah, you wouldn't be happy. So that was more than an annoyance. But the spam is still baked into the flipper on these alternative firmware.
There's three or four kind of main branches that really integrate all of these different apps into one central repository. And then you can just flash it to your flipper using the desktop application or even a web page, Chrome. You just connect it and say, give me the latest thing.
And two minutes later, it's updated. And so some of these applications include the Bluetooth spam that crashed. So the first one was for Apple.
There's Android spam. There's Samsung spam.
Adrian Sanabria
We have an option that says the kitchen sink flood all attacks at once.
Jon Bundy
It lights up everything. It goes through every protocol, every message, randomizes bits and pieces, and it blasts it out at a high power, the highest power it can. So as many devices will pick it up.
There are ways to turn that off on your phone and on Windows. Yeah, seems to have died down. It was really popular for a while.
Adrian Sanabria
Apparently, it did mess with other devices that use Bluetooth, namely infusion pumps. So like an insulin infusion pump, it crashed somebody's pump. Where somebody was messing around with that and they were able to recover it to, I don't know what they had to do, reboot it or something like that.
I mean, that's the danger of somebody hitting the equivalent of Autophone and Metasploit on a device like this is lots of things use Bluetooth that you wouldn't think of or even be aware of. So you actually don't know what kind of damage you're going to.
Jon Bundy
Yeah, especially when you hit that kitchen sink, right? Because there's some.
Adrian Sanabria
Yeah, I didn't even go through the list. Like I'm that guy. I didn't even look through all 11 things before just hitting kitchen sink.
Jon Bundy
That's for me. Yeah. Now those all should be targeted to specific phones and operating systems.
So I'm a little surprised about this insulin pump, but it's certainly possible with that flood of traffic.
Adrian Sanabria
It may not have been this specific attack. It may have been some other payload. I mean, you're just fuzzing the wireless airwaves, right?
You know, so unintended consequences are a thing.
Jon Bundy
And even if it wasn't from the kitchen sink, it would be because of the nature of the device, someone could create an app that does send that message that causes a problem for a device. Thankfully, I haven't seen too many of those. Most of them have been more of the prank sort of level things like these, including the IR that the most use I found for that is to change the volume or mute TVs or turn them all off.
Yeah.
Adrian Sanabria
If you want to learn how to solder, there's a fun kit you can get. And it's how I learned how to solder called TVB gone.
Jon Bundy
Yeah.
Adrian Sanabria
And that's just one function on this thing out of the many things it does. But I do somewhere in a drawer have a standalone TVB gone, which you just press one button and it sends every known off code power code for every known TV in sequence. So within a couple of seconds, pretty much every TV within range of that will turn off.
And I don't recommend going into a sports bar during a pay-per-view game or like MMA fight or something like that. And using something like this, if they figure out it's you, it's, it's not super discreet, you know, the white and orange.
Jon Bundy
I think people are really, I've seen a lot of this in the media and know what they are. There's been a lot of uncertainty.
Adrian Sanabria
It's easy to get in trouble with them, you know, as somewhat innocent, they are, they do make some hacks a little bit easier than maybe they should be. I think really where they hit the headlines and where we saw a lot of the bands come in is the rolling code attacks. Let's talk about the myth that you can steal a car.
Jon Bundy
Bottom line is, yeah, you're not going to be able to start the car, pretty unlikely because that uses different technology.
Adrian Sanabria
Public private key pair with, yeah, between the, yeah, with the immobilizer in the ignition with the key. So this doesn't do anything with that. The attacks against that are relay attacks where you simulate the key.
Somebody stands next to your bedroom or wherever in the house you have the key. To get close to the key itself. And then somebody else has the receiver for that and replays.
So it makes it seem like the key is inside the car next to the ignition. This cannot do that. If you go look up how that works, those are big panel antennas.
It's really big kit that you need to do that. That's not something that's going to fit into your pocket. What can these do, Josh?
Jon Bundy
Yeah. So there's kind of three basic attacks that we can go through with these key fobs. And these are in the sub gigahertz range that we talked about.
Historically, I guess the easiest thing to talk about is a replay attack. Like you mentioned, as you see the transmission, you copy it and then you just send it out again. Maybe you don't have any understanding of what it is, but you saw it and you captured it.
You replayed it. This works for simple devices that don't change that transmission sequence from press to press. So simple devices like my ceiling fans and lights, you hit a button.
It sends the same code out and every time. So I can capture it. And now I can send the same code out.
That's just called a replay attack. Most cars realized, well, that's not a good idea. And so they implement something called rolling codes.
So rolling code means that the transmitter and the receiver are kind of in sync. They have a pattern of codes that they're going to use and they burn through them as they use them. They burn it and it can't be used again.
That prevents a replay, right? So if you send your first transmission and its code is like A, the receiver is like, I'm expecting an A, I see an A, great. Next one's going to be B.
So if I see A again, I'll just ignore it. So you try to capture A, you try to replay it, you can't replay it. Then roll jam came about.
And that was about 2015, about 10 years ago. Roll jam says, you know what? Because the receiver is burning these codes once they're used, what if I jam it so that the receiver doesn't hear that code?
And then I capture it. Now I have a code that hasn't been used. Oh, that's great.
But the user still wants to get into his car. He's going to hit the unlock button again, right? That's what we all do.
It doesn't work. You hit the button again. Code B goes out.
You capture that one as well and jam it. Now you have two codes. How do you replay the first code?
Code A, A gets burned, door unlocks, user's happy, away they go. You still have B that hasn't been used. But think of how you have to do that.
You have to jam the receiver. So you have to have some equipment on the car or near the car, but you still have to pick out the transmission and capture it cleanly. Really difficult to do, but theoretically possible.
Probably not going to be something that's done in the real world. Flipper can't do that. But about a year or two ago, there's some noise about more attacks on cars.
And this one, there was a paper called Rollback. In this one, they found that the receiver could be convinced to go back in time, to roll back to a previous sequence. If you had enough sequences in a row, if you had A, B, and C, if you could prove that you had those, you're like, oh, well, I must've just got out of sync with my transmitter.
It's got three legitimate codes in a row that I expected, even though they were 100 codes ago. I'll just sync back to that. We'll start back over at A, B, and C.
And how that would work is if you could get two to five clean captures in a row in the sequence, these vulnerable receivers, you could go back and hit those three to five, and it would roll back to those. And then you can continue to use whatever else you've captured in that future sequence again. You could do that over and over again.
You could just roll the receiver back to the initial state. So that capability, or something similar to that, is being sold in these kind of special firmwares that are in the black market. I haven't looked for it.
I haven't seen bits there, but that capability is possible. There are certain cars that are vulnerable and certain cars that aren't. So what does that do?
That gives you the ability, again, to kind of mimic these key presses, unlock car doors, lock car doors, but not the ability to start it. So that's not a button press, right? That's a different thing going on once you get in proximity.
There's a lot of danger in playing around with this one too. You can tend to knock your transmitter, your key fob, and your receiver on your car out of sync, in which case the key has to be opened again. And it's not like Bluetooth pairing.
Sometimes you have to go back to your mechanic, you might do something. With all these flippers, and you're like, I want to try to do something. You turn off your TV.
Great, that was fun. Let's escalate. Let's try something more fun.
Let's see if I can open my car door, that was fun.
Adrian Sanabria
And probably most of those are going to be people doing it to themselves, just trying to get the hack to work, right?
Jon Bundy
Yeah, they're curious.
Adrian Sanabria
I'm a big picture kind of guy. And I study a lot of breaches and crimes. Generally, you don't find super patient criminals, right?
If you're going to commit grand theft auto, you don't want to go out there with something that might work, or that's going to take 15 to 30 minutes, or that's really obvious when you do it. You want to know exactly how long it's going to take you. You want to be in and out and done with it quickly.
So I imagine this is probably not the tool I'm going to reach for if you actually want to steal a car. If you want to learn more about these attacks, how they work, how wireless devices in your house work, if you want something that's useful in a pinch, if a remote breaks or something like that, there are IR codes, wireless codes posted online where you don't have to even capture it yourself. You can just download these codes and it's documented somewhere on a GitHub and you can just throw them on there.
And now that's your remote. It's not going to be the most convenient thing because you have to click like nine levels deep to get to where you saved some of these things.
Jon Bundy
I think it's a great tool. It's fun. It's a novelty and it's really polished, like you said, really easy to use.
Adrian Sanabria
Yeah, certainly fun to play with, especially for 200 bucks. If you want to learn more about how to do this kind of stuff, it's a good learning platform. So I would recommend picking one up.
It hasn't just sat in a drawer and gathered dust. I've used it to play with a bunch of things. Hotel keys.
When I go stay in a hotel, there's a MyFair module that will decode those and your hotel key can now be your flipper zero. Increasingly, those are using NFC so that the Marriott or Hyatt or Hilton app on your phone can unlock your door as well. John, thanks for the walkthrough there and the demos.
And with that, I think it's a good place to wrap up. Thanks to Bastille for sponsoring this series. Thank you, John, so much for joining me today.
Jon Bundy
You're welcome.
Adrian Sanabria
You can check out bastille.net forward slash blog for more information on wireless threats. Don't forget to leave a comment with what you'd like to see us discuss next. We'll see you next time.
Outro
Thank you to our guests, Adrian Sanabria and John Bundy. Don't forget to like, comment, and subscribe to Carahcast and be sure to listen to our other discussions. If you'd like more information on how Bastille can assist your organization, please visit www.carahsoft.com or email us at bastille at carahsoft.com.
Thanks again for listening and have a great day.