Experimenting with Signal Capturing: A Flipper Zero Story

VXRL
5 min readNov 10, 2023

Twitter: @Darkfloyd1014

Recently, I had an experience that reinforced the significance of radio frequency security. Sitting in a Singaporean restaurant located in Hong Kong, I found myself amidst a perfect opportunity to test my Flipper Zero, a multipurpose hacking device that fits right into the pocket.

Setting the Scene

The restaurant was bustling, but amidst the clatter and chatter, a distinctive sound stood out — the ring of the pick-up device signaling that an order was ready. Other than enjoying the delicious fish ball noodles with Kaya toast, I decided to utilize my Flipper Zero to capture and replay this signal, essentially enabling the device to sound again at my command.

Fish ball noodles are quite good for hackers

The Experiment

The Flipper Zero is an all-in-one tool for pentesters and hardware hackers, providing functionalities like signal capturing and replaying. This capability made it perfect for this experiment. The device operates in a frequency range around 433 MHz, making it able to interact with a wide variety of everyday devices — including the restaurant’s pick-up device.

I simply start the scanning mode, it is more or less passive scanning, of the Flipper Zero at the frequency 433 MHz, as I have learnt most of the food order pick up device is within the range of 424 MHz and 469 MHz.

Scanning for any food order pick up request signal

Fortunately, there are customers order can be picked up in my neighboring table, I can capture the signal as below:

Successful capturing the food order completion signal

I simply save the request for the replay purpose.

Saving the captured signal

Finally, I attempt to verify my captured signal is valid and simply replay it to the wireless food order pick-up device, I replayed the signal, causing the device to sound again as if another order was ready:

The Implications

While this may seem like a harmless prank, it underscores a significant security issue. In a world increasingly reliant on wireless communications, the ability to capture and manipulate signals can lead to serious breaches.

Imagine if the signal I captured wasn’t from a restaurant’s pick-up device, but from a security system’s door sensor or a car’s key fob. The potential for misuse is vast — from causing minor inconveniences and confusion, to facilitating unauthorized access and theft.

Moreover, this experiment was conducted with a consumer device, which means anyone with a Flipper Zero and a little know-how could potentially do the same. It highlights the need for devices to use secure methods of communication, such as encryption and rolling codes, to protect against such threats.

Strengthening Security

So, how can we mitigate such risks? Firstly, manufacturers need to prioritize security in their designs. This could mean employing encrypted signals or using rolling codes that change with each use, making captured signals useless.

Consumers, too, have a role to play. When purchasing wireless devices, it’s crucial to consider their security features. Moreover, being aware of the potential vulnerabilities can encourage us to take preventative measures such as regular system updates and extra layers of physical security.

More Impact

People may lack imagination that we can set up a long-distance antenna, we can launch a large scale of DoS (Denial of Service) like shutting down TV, Screens, Air conditioning in hotel or/and in arcades. How about iPhone? Yes, it is already proven we can launch DoS attack against iPhone with Flipper Zero:

I am very thankful to my Korean hacker friend, Juno, from Theori, advises me to install https://flipper-xtre.me/update/ after he shows off how to DoS his iPhone with iOS version 17.0.x. Installation is not difficult:

Installation of Flipper Xtreme Firmware

However, this build is production stable and does not include BLE spam, I have found from other posts in Google, that the BLE spam app is available in development build. I simply register and login to their discord channel, putting myself to access development build. Once downloaded, you can update the firmware with qFlipper application and manually select the firmware file for the update at “Install from file”.

Download and install the development build
Install from file: Select your downloaded dev build firmware
BLE Spammer app is under App/Bluetooth
Select the iPhone iOS 17 to start the Lockup crash

As I did not have an iPhone with iOS 17 on hand, my phone is still with iOS 16.6.1 as I always observe whether the production build or update is stable before any upgrade. However, if there are more critical vulnerabilities including RCE (Remote Code Execution), is always recommended to update the iOS version. For my phone’s iOS version, it is vulnerable to arbitrary code execution in ImageIO and Wallet with this version. That is reason we are required to consider and balance the security vulnerability impact trade-off.

iOS version below 17.x.x is not vulnerable to the BLE Spam attack

For demonstration purpose, I simply select the iOS 17 from the menu and launch the attack against nobody.

However, you can imagine if I start this crash in public transport, it will be causing DoS attack against their mobile devices in public. From the menu, I can target other devices including Android device.

Conclusion

In a world where almost everything communicates wirelessly, we must consider the security of those communications. My experiment with the Flipper Zero at Toast was a small but significant demonstration of this principle.

As we move forward, both manufacturers and consumers must prioritize security to ensure that our wireless communications are as safe as they are convenient.

— -

Disclaimer: The signal capturing and replaying and iOS 17.x.x crash experiments described in this blog post was not intended to cause any harm or inconvenience. Always respect privacy and legality when experimenting with devices like Flipper Zero.

--

--

VXRL

VXRL Team is founded by group of enthusiastic security researchers, providing information security services and contribute to the community. https://www.vxrl.hk