Recently, I had an experience that reinforced the significance of radio frequency security. Sitting in a Singaporean restaurant located in Hong Kong, I found myself amidst a perfect opportunity to test my Flipper Zero, a multipurpose hacking device that fits right into the pocket.
Setting the Scene
The restaurant was bustling, but amidst the clatter and chatter, a distinctive sound stood out — the ring of the pick-up device signaling that an order was ready. Other than enjoying the delicious fish ball noodles with Kaya toast, I decided to utilize my Flipper Zero to capture and replay this signal, essentially enabling the device to sound again at my command.
The Flipper Zero is an all-in-one tool for pentesters and hardware hackers, providing functionalities like signal capturing and replaying. This capability made it perfect for this experiment. The device operates in a frequency range around 433 MHz, making it able to interact with a wide variety of everyday devices — including the restaurant’s pick-up device.
I simply start the scanning mode, it is more or less passive scanning, of the Flipper Zero at the frequency 433 MHz, as I have learnt most of the food order pick up device is within the range of 424 MHz and 469 MHz.
Fortunately, there are customers order can be picked up in my neighboring table, I can capture the signal as below:
I simply save the request for the replay purpose.
Finally, I attempt to verify my captured signal is valid and simply replay it to the wireless food order pick-up device, I replayed the signal, causing the device to sound again as if another order was ready:
Wireless Food Pick-Up Device Signal Replay
We attempt to capture the food pick-up signal and then replay it with Flipper Zero device
While this may seem like a harmless prank, it underscores a significant security issue. In a world increasingly reliant on wireless communications, the ability to capture and manipulate signals can lead to serious breaches.
Imagine if the signal I captured wasn’t from a restaurant’s pick-up device, but from a security system’s door sensor or a car’s key fob. The potential for misuse is vast — from causing minor inconveniences and confusion, to facilitating unauthorized access and theft.
Moreover, this experiment was conducted with a consumer device, which means anyone with a Flipper Zero and a little know-how could potentially do the same. It highlights the need for devices to use secure methods of communication, such as encryption and rolling codes, to protect against such threats.
So, how can we mitigate such risks? Firstly, manufacturers need to prioritize security in their designs. This could mean employing encrypted signals or using rolling codes that change with each use, making captured signals useless.
Consumers, too, have a role to play. When purchasing wireless devices, it’s crucial to consider their security features. Moreover, being aware of the potential vulnerabilities can encourage us to take preventative measures such as regular system updates and extra layers of physical security.
People may lack imagination that we can set up a long-distance antenna, we can launch a large scale of DoS (Denial of Service) like shutting down TV, Screens, Air conditioning in hotel or/and in arcades. How about iPhone? Yes, it is already proven we can launch DoS attack against iPhone with Flipper Zero:
I am very thankful to my Korean hacker friend, Juno, from Theori, advises me to install https://flipper-xtre.me/update/ after he shows off how to DoS his iPhone with iOS version 17.0.x. Installation is not difficult:
However, this build is production stable and does not include BLE spam, I have found from other posts in Google, that the BLE spam app is available in development build. I simply register and login to their discord channel, putting myself to access development build. Once downloaded, you can update the firmware with qFlipper application and manually select the firmware file for the update at “Install from file”.
As I did not have an iPhone with iOS 17 on hand, my phone is still with iOS 16.6.1 as I always observe whether the production build or update is stable before any upgrade. However, if there are more critical vulnerabilities including RCE (Remote Code Execution), is always recommended to update the iOS version. For my phone’s iOS version, it is vulnerable to arbitrary code execution in ImageIO and Wallet with this version. That is reason we are required to consider and balance the security vulnerability impact trade-off.
For demonstration purpose, I simply select the iOS 17 from the menu and launch the attack against nobody.
BLE Spammer with Flipper Zero (dev build)
Discord channel in Extreme:Ble spamYes, we do include our code inside our code. The BLE attack is our work, and you…
However, you can imagine if I start this crash in public transport, it will be causing DoS attack against their mobile devices in public. From the menu, I can target other devices including Android device.
In a world where almost everything communicates wirelessly, we must consider the security of those communications. My experiment with the Flipper Zero at Toast was a small but significant demonstration of this principle.
As we move forward, both manufacturers and consumers must prioritize security to ensure that our wireless communications are as safe as they are convenient.
Disclaimer: The signal capturing and replaying and iOS 17.x.x crash experiments described in this blog post was not intended to cause any harm or inconvenience. Always respect privacy and legality when experimenting with devices like Flipper Zero.