Flipper Zero Pen Tester Hacks Access Control
Flipper Zero Hacks Access Control
Flipper Zero Hacks Access Control – Flipper Zero is a portable multi-tool designed to hack digital solutions, including access control systems, automation controllers, RF protocols, and plenty more.
From the point of view of electronic security techs, the customisable, no-pins, open-source device is as scary as it is fascinating and potentially useful as a pen-tester. But while it offers useful functions for trouble-shooters, it also allows unauthorised snoopers to poke around access control solutions in a way that will have security integrators re-considering the security levels of their control cabinets.
While the device looks like a toy, the product’s specifications are serious stuff. There’s an ARM Cortex-M4 32-bit 64 MHz applications processor and an ARM Cortex-M0+ 32 MHz network processor, with Flash memory of 1024 KB and FAT32 formatted microSD card support.
The unit has an integrated 128 x 64 pixel LCD monochrome display, a 5-button joystick with back button, a 2000 mAh rechargeable battery, support for sub-1 GHz frequencies including 315 MHz, 433 MHz, 868 MHz and 915 MHz (depending on regions), as well as 13.56 MHz NFC and 125 kHz RFID – these are access credential and automatic gate/door frequencies.
There’s also an 18 GPIO connector, infrared 800-950nm with 300mW transmit power. There’s also iButton 1-wire support for Dallas DS1990A/CYFRAL button credentials and USB 2.0 type C.
What can Flipper Zero do? Controlled by a 5-Position directional pad, it’s able to explore access control systems using common scripts and functions stored on board, while third-party applications allow deeper dives. Thanks to an integrated 433MHz antenna and CC1101 chip, it can be a transceiver capable handling ranges up to 50m.
Flipper Zero’s 433 MHzCC1101 functionality supports digital modulations including 2-FSK, 4-FSK, GFSK and MSK, as well as OOK and flexible ASK shaping. The capability means you can perform any digital communication in your applications, including connecting to IoT devices and access control systems.
The old 125kHz frequency stores an N-byte ID and is unsecure – Flipper makes it less so. The device can read, clone, store and then emulate the 125kHz credentials like EM4100. It’s also possible to manually enter the card IDs manually. The fact 125Khz is still widely used in garage remotes is a security issue, particularly for people who rely on their garage door as a first and last line of perimeter defence.
The fact Flipper Zero can do the same thing with 13.56MHz credentials is more of a concern. Thanks to its NFC module, which supports all standards, including NXP Mifare, Flipper can read, write, store and emulate HF credentials, too.
And its integrated Bluetooth Low Energy module allows the unit to interact with Bluetooth devices. BLE support allows Flipper Zero to operate as BLE host or peripheral device, connecting to 3rd-party devices and a smartphone simultaneously.
Flipper Zero allows hardware exploration, firmware flashing, debugging, and fuzzing. It can be connected to any piece of hardware using those GPIO pins to control that hardware via its buttons, as well as run a Flipper’s code.
Flipper Zero’s 1-Wire connector for iButtons (DS1990A, Touch Memory or Dallas key) also allows it to read and emulate contact keys. This technology typically uses 1-Wire protocol without authentication. Flipper can easily read these keys, store IDs to the memory, write IDs to blank keys and emulate the key itself. Flipper Zero has a contact pad that works as a reader and a probe to connect to iButton sockets at the same time. This mode can intercept the 1-Wire data line.
The unit is 100 x 40 x 25mm in size, weighs 102 grams, is constructed of poly, has an operating temp of 0-40C, and an input voltage of 5V.
Read more news at SEN.