Owning a dolphin

Finally bought a Flipper zero! If you’ve seen me on twitter (how else would you find this post), you may have seen me posting some Flipper shenanigans. Now I will try to explain why I bought it and what it has done for me so far.

NOTE: I have a Proxmark 3 EASY and a Chameleon Mini RevE Rebooted. These two devices were basically cupboard purchases, since at that time, I did not even look into these areas of research. I did not realize yet that the rabbit hole goes waaaaaay past these two devices. Yes, I’m a cheapskate.

How I bought the dolphin

A friend has brought the Flipper to my attention while it was still nothing more than a Kickstarter. Being the wary soul that I am, I said “Well, when it comes out, we’ll see. I want to wait for the reviews.” After the first version came out and twitter/mastodon started blowing up about the Flipper, I had a moment of FOMO, but then I thought “surely, the devices will wait for me to get save up for it and still be in stock.”

Oh boy, was I wrong!

This just proved to me that I’m not the consoomer I never wanted to be. Good. However, the thing flew off the shelves! And I now saw what the device was and what it could do! I knew that I wanted something for physical access, but the Proxmark 3 RDV4.1 was, honestly, way too expensive for my student rectum. I saw this device as a great way to have something of each: LF and HF antenna, sub-GHz transceiver, an IR blaster, and stuff I’d probably never use (I was wrong on that, too). I knew it couldn’t do the leet h4xx0r stuff people like Iceman are doing, but it would do, and hopefully, over time, it would get better and I’d have someone to support my needs. After all, it’s open source and I’m too lazy to code anything more permanent than a bash one-liner.

Unfortunately, new Flippers were seemingly nowhere to be found. No one had them in stock. I have, therefore, put the hackery dolphin in the neat back of my mind… and forgot for 2 years.

Recently, I thought about buying a hacker toy for all my shenanigans, and my mind went to the Proxmark. Seeing as it was still a bit on the steep side (I had taken out a mortgage on a flat a year before), I didn’t think I could explain that to my loved ones without receiving eye-rolls. The Flipper, while not cheaper by much, was still a thing that had more potential features and was right about my price range. So I ordered it.

The device arrived 8 days later. Thanks, Lab401!

Why I bought the dolphin

As mentioned above, I bought the dolphin, because it had all the potential hardware and functions I may need. I did not know exactly how to use them, but that was the thing! I can read about stuff all day long (you’re reading this right now), but unless I try it myself, I will not know where the issues lie and where the thing lies compared to devices like the Proxmark. Yes, Proxmark is my benchmark for this project, since when I think physical, I think RFID/HID/NFC cards.

I was not overly optimistic, I did not expect the Flipper to “revolutionize” anything, but I knew I wanted hardware to play with and try out on my cards, access or otherwise.

Oh boy, was I wrong! (starting to see the pattern, eh?)

The Flipper surprised me. Let’s start with the “parlor tricks”, something I can show my family and they’ll think “nifty, I see the effect and it impressed me.”

The IR blaster worked great. I uploaded several TV settings (I have a monitor at home, but it does come with a remote) and tried it. Sure enough, the screen now did the dolphin’s bidding! From now on, every time I’m feeling down, I take a walk through the city and just turn anything off I can find. Billboards are still a nuisance, but I know they are Samsung (from Bluetooth scans) and I believe they have the IR receivers hidden, removed or non-existent. No matter, a way shall be found for those pesky ads to be less abusive.

I had no real chance to try the sub-GHz transceiver, as I don’t have anything around me that might work without me sitting around first and capturing legitimate connections.

It did manage to read LF cards no problem (I knew it would, since LF is usually not well-protected). It even managed to read several HF cards that I threw at it! By doing so, I learned several things:

  • My public transport card is good enough to not be abused by the Flipper.
  • London’s Oyster card is shit for the opposite reason (it was read, copied, and Flipper did not error out when emulating).
  • I can write LF credentials to other formats.
  • I cannot write HF credentials to a magic card.

My main issue with the local public transport card is the fact that it’s a DESFire (can’t tell you the version, but it’s not something cloneable by the Flipper). The Oyster seems to be a different kind, or a kind of card that is known about to more hackers, and so the thing was broken. It appears that ISIC cards are very vulnerable to this attack, only needing a few seconds to crack 32/32 keys on the card (16 for A, 16 for B, that much I know from Proxmark tutorials).

What did I loot?

I can’t say I’ve “looted” anything, since these credentials were given to me willingly and not under duress, under the understanding that I would not abuse the credentials (if read) and that I would not spread them around. Therefore, as of today, I am the proud owner of:

2 ISIC cards (provided by former pupils) - My former pupils use ISIC cards to access their school, and were the only people within reach who had ISIC cards. The Flipper made short work of them, having been preloaded with ~3000 different keys.

1 house entrance chip-format key - My colleague let me try out his house key and find out what frequency it is and if it could be scanned. Flipper found the chip as an LF format chip. I do not know where this colleague lives (and I honestly value him more for not telling me on day one), but to repay him for offering his house key to the dolphin, I wrote his keyfob-style chip on a rewriteable card. He now has one less thing on his keychain and can keep his house key in his wallet.

1 Dallas key to an employee toilet - This one came from my pupils as well, as for several days, I was actively asking people for a Dallas (or 1-wire) key for me to try. It read no problem, I still have not visited the place to try if emulation will work as well.

1 cargo elevator chip at work - The cargo elevator in my building is a spacious thing using LF credentials to allow people to go up and down. The doors can be opened no problem, however once you are inside, unless you have the keyfob, you are shit out of luck. I managed to borrow the key (literally, you can borrow it for a 20$ down payment in case you lose it). Lady at reception was not very keen on giving it to me, since it was “her last one and she didn’t have any others.” I cloned it in seconds inside the elevator, facing away from the camera. Yes, there is a camera, that’s why I’m not using the cargo elevator as my personal chauffeur. (NOTE: Still wondering if I should buy a couple of empty keyfobs and write the elevator credentials on them. I could gift-wrap them for the lobby staff, since they are always helpful.)

… and a partridge in a pear treeeeeeeee!

In closing

To close this one off, I should say that I’m very happy with the Flipper zero. If you want one (I’m not affiliated, but fuck it, it’s my site, I’ll shill who I like), you can get one at Flipperzero.one. If you’re in the EU, Lab401 still has them in stock as of today.

If you want to give your default Flipper some more oomph, I used this repo to get any information I may need, as well as the official documentation: Awesome Flipper - GitHub

If you want to know about my experience personally, you can catch me on Twitter. I can’t think why you would specifically my opinion, but hey, it’s your sanity ;-)

That is all, folks! Next time, I’ll probably rant on about the OSCP labs and how pain makes me giddy.