I kind of hate the Flipper Zero on principle. It's basically a script kiddy device for hardware. People use them to essentially DDOS cell phones with BLE connection requests. You can do it with any micro controller with a 2.4ghz radio, but this thing makes it easy for annoying people to just pull a script from the internet and make it everyone else's problem.
Seems like the focus should be on who is allowing and enabling this type of usage. Manufacturers, since they do not act of their own free will, need to be compelled to actually release secure software.
If anything, I love that the Flipper Zero is revealing how vulnerable a lot of this technology is. It hasn't been this easy before to execute radio hacks while mobile, nor in such a game-like/product format. Consequently, I think many people have not realized how secure their devices actually are.
It seems that people are finally becoming aware of how unsafe many of these products are. Unfortunately, they are mistakenly focusing the blame on the wrong party.
Fixing the security holes also protects everything against truly "evil malicious" actors, not just "fun malicious" actors, so it has its benefits to force manufacturers to up their game.
There's a limit to how resilient you can make wireless communication. Ultimately protocols like Wi-Fi relies on everyone on the frequency working together to facilitate smooth communication. If you want to disrupt that, then you'll always be able to throw a wrench into that.
Denying communication will always be possible, you just have to be loud enough to drown everyone else out. But spoofing stuff doesn't have to be possible. You can design rf communications with various kinds of encryption that makes spoofing very difficult.
RF jammers also expose how vulnerable most RF devices are to DOS attacks. But I don't think that's particularly helpful to anyone, nor should those devices be unrestricted in their distribution or use.
RF spectrum inherently requires rules and cooperation -- if it were a free for all, user beware type of situation, it just wouldn't work.
The Flipper Zero scaremongering isn't about DoS attacks, but about protocol attacks. It probably could be used as a jammer but that's not interesting. It's more useful for demonstrating that a lot of firmware is about as secure as using plaintext telnet with u/p "admin/admin".
The GP mentioned DoS attacks which was why I pulled on that thread. The vulnerabilities exploited by this Flipper Zero are not novel, they're already known to industry experts. The main difference with this device that they're more accessible to non-technical folks. That in and of itself is bringing attention to the issue, but is that really helpful? To me, it seems akin to handing out bricks in nice neighborhoods to highlight the security weaknesses posed by windows without bars on them. Security is not without cost. The ideal society to live in is not one with the most security, it is the one with the most trust.
A lot about order in society relies on most mischievants being actors of opportunity.
I’ve worked in infosec for decades. Yes, it’s absolutely helpful to bring attention to the issue. Manufacturers have historically ignored findings that didn’t get press. That’s why groups like Google’s Project Zero have policies to disclose vulnerabilities after the vendor has been given a reasonable window to fix them in. It’d be awesome if the vendors would fix their stuff without that pressure, but again, data shows that most won’t.
I think the brick and window analogy fails here. Thing is, the real bad guys generally already know about the best weaknesses to exploit. I think a better analogy would be pointing out that a storefront in a high-crime area doesn’t actually have glass in its windows. Robbers already knew that. Now the locals are telling the shop owner that they need to install some windows, quickly.
> Thing is, the real bad guys generally already know about the best weaknesses to exploit.
Who are "the real bad guys"? Highly motivated, highly intelligent attackers? That's a valid concern if you're a high value target, but most people aren't. The vast majority of crime is the result of ease and opportunity, not expertise.
I live in a place with high rates of vehicle thefts. Essentially all of them are performed by low skill attackers who use low skill attacks at the physical layer. Carjackers don't care about anyone's rolling code implementation.
I don't think Flipper Zero is anything to worry about, most abuse is probably just going to be edgy kids who are doing annoying things, unsyncing their friend's car keys, etc. But I disagree with the general sentiment that any proliferation of tools that escalates the need for security is always a good thing. Generally, increasing the opportunity and ease of crime is a bad thing.
While I get and appreciate your point, I still disagree. If a vulnerability is patched, it doesn't matter if there are 1 or 1,000 tools targeting it. In the case of small, RF-configurable systems, there are already enough in the wild to get the attention of bad actors. I was in a conference where someone discussed exploratory attacks they'd found where an attacker would target an embedded medical device, compromise it, then have the device emulate a Bluetooth keyboard to target the victim's work computer.
I genuinely believe that the makers have such devices have coasted way too long on security through obscurity. These weaknesses need to be highlighted so that there's political pressure to fix them. If someone users a Flipper Zero or the like to attack a cochlear implant, they should be punished for it. So should the manufacturer of the implant who released an insecure medical device into the wild. If the Flipper's popularity is what draws attention to the broken medical device, then good for Flipper! Maybe they'll patch the problem before North Korea can use it to launch cyberattacks.
I think that's a naively academic and cryptographically focused view of security.
Bad actors are not a monolith. There are many different types of attackers with different means and motivations who will take different actions against different targets and different types of technologies. Threat profiling is a thing for a reason, and it absolutely does matter whether or not a particular threat has the means and/or motivation to exploit a vulnerability. It is the only thing that does matter, outside of a technical academic context.
Yes, security through obscurity is not an rigorous approach to implementing a cryptography system, but it is a completely valid approach in other security disciplines outside of cryptography or digital security. Too many people make the mistake of incorrectly assuming that cryptography security principles apply to the broader practice of security as a whole. Digital security is only as useful as it is to support a holistic model of security. Digital security in isolation is just an academic exercise. It has to be implemented to be useful, and when implemented, operational security and threat modeling are very relevant.
> If a vulnerability is patched, it doesn't matter if there are 1 or 1,000 tools targeting it.
It does matter what the real-world observed rate of patch compliance is, the cost to patch, and whether or not those tools will be used nefariously. If you have an academically obscure remote exploit for a pacemaker, that requires a hardware patch, please don't write a script that makes it easy for non technical people to exploit, and post it on GitHub. While this will certainly encourage a fix to future pacemakers, the cost may not be worth it.
Manufacturers can do better but aren't these users committing felonies? Why aren't we focusing on that? Also- maybe we don't want to deal with all the extra BS that secure RF requires.
This is the common excuse for adversarial hacking, and while it has some basis in fact it's also a justification for the endless security arms race and downward spiral into zero-trust. As the man said “Your scientists were so preoccupied with whether they could, they didn't stop to think if they should.”
On the other hand, it's exposing just how sloppy devices are with their wireless signals + code handlers.
IIRC this is in Canada, but in US (and probably Canada too), FCC has rules against creating harmful interference. Fine + punish the people creating the interference, rather than the tools that people can use to learn, debug + protect these devices that are vulnerable.
There is nothing this can do that a normal microcontroller can’t do. banning this device does nothing to harm penetration testing. it just mitigates the ease with which these exploits can be widely abused.
That's kind of the point though - the more widespread you see it being used the more likely it is that the tool itself will get more attention and the targets of the tool will get more attention. The point of a bill like this is to show the population that politicians are doing something, and trying to avoid nation/global news covering the topic.
For another example of similar politician behavior just look at how LA is handling the graffiti towers. They're driven by concern about being on the national stage and the corruption of the whole system being put on display, not about the graffiti.
Fine + punish the people creating the interference
This isn't a realistic solution because the difficulty of identifying people abusing these devices is high. The usual US approach is to jack penalties up way high to offset the low probability of capture, which inevitably leads to disproportionate sentences and an even greater erosion of respect for the legal system.
That's like saying any infrastructure is sloppily done because it's vulnerable to DDoS attacks. DDoS attacks are already illegal, but people still perform attacks. That's not the site operator's fault, and it's victim blaming.
Except here "DDoS" means "one person with a $200 radio". I don't expect my devices to stand up to prolonged attacks against state actors. I do hope they can survive someone sending them invalid packets.
Oh they'll survive invalid packets. It's the sheer amount of packets that are the problem, and wireless signals are just inherently hard to protect against malicious jamming.
That's not true. Again, forget jamming for a little bit. You can build a jammer with any random spark gap transmitter. The novel attacks are one where a Flipper Zero can send an iPhone 1,000 "hey, I'm an Apple TV, wanna hang out?" messages in a row and the phone acts on each of them. Even if you space those messages out so that they only take a tiny percent of available throughput, the phone's response to the messages will still make it unusable.
Because such a flood is now easy to trigger, phones now implement rate limiting that effectively mitigates the attacks. After all, you're not legitimately going to see 1,000 Apple TVs trying to connect at once, so there's no need to give each one of them personal attention.
Do you also dislike say the arduino or the raspberry pi which popularized sbcs/microcontrollers, as they can be used for nefarious tasks? What about bell labs, without whom none of these issues would have occurred?
Technology will always develop, it's important to plan and regulate it, sure, but bans are need to be extremely carefully thought out to enforce well.
Even the smallest amount of friction to acquiring a device like this (e.g. you have to build your own and flash your own firmware) would prevent basically all the attacks we see on the news with a Flipper. "Script kiddies", by definition, are buying pre-made, turnkey devices and lack the ability to build their own.
This is a really expensive device in Canada, and you do have to flash the firmware if you want access to the more harmful capabilities.
The people stealing cars are an international organized group that have managed to exploit holes in the federal government, the railroad companies, and the ports. The way they are stealing these cars is outside of the capabilities of a stock flipper, and requires custom hardware.
Banning the flipper is going to do precisely nothing to increase the friction on the problem they are trying to solve.
The major ports (Montréal and Vancouver) are controlled by organized crime. But those people are scary (and/or well-connected). Much easier to go after hobbyists.
Sport shooters can insert a certain James Franco meme here.
If you choose, as Flipper Zero has, to market your device as a tool for "pentesting radio protocols, access control systems, hardware", I think you have some responsibility to mitigate the obvious and trivially foreseeable consequence of people using it to just outright penetrate those things.
That's fair, I wasn't aware that was how they advertised it. I would hope they use more responsible advertising, however I still don't think that deserves it to be banned.
They don't, for example, make posts on the front page of their public website (https://flipperzero.one/) about specific technologies such as key cards which are subject to easy exploitation.
i’d be more forgiving of the device if it had practical utility beyond “fucking up other people’s shit”. for me it’s in the same category as stink bombs, glitter bombs, and vuvuzelas.
I use mine to open my own garage door and I use the GPIO pins to check if some of my I2C devices on my breadboards are using the correct address they are supposed to be using.
Presumably since they have access to their own garage door the Flipper can be synced as a new remote without any "hacking" or brute forcing rolling codes.
It's also a pretty useful device if you are into electronics. Or need backups of your access cards. Or of your silly garage key fobs. There are many great uses of this thing. I'm also annoyed by the script kiddies, but I do like the device. A lot.
Script kiddies aren't new, they will always be around regardless of the tools. The response is build better tools to mitigate their rudimentary attacks.
That works OK if you can deploy through the net. But many devices are not net connected (eg garage door openers) and we've seen the many problems with trying to make every electrical appliance net connected - surveillance, data leaks, remote shutdowns, device bricking when then IP connectivity goes down. Technology shouldn't force consumers into endless upgrade cycles in the name of better security.
I don't think it is limited to skiddie use, it's a nice hardware platform that is pretty easy to write for. I've gotten my kabuki desuicide pretty much functional on it. It's already FCC'd, has a BMS and lots of other things that are a pain to get right.
There is something about lowering the bar to disruption, and the possibility of this causing a bit of a reckoning for devices that don't do a good job of "Accepting any interference received"
Part of the problem is that the design feels somewhat toy-like with the bright plastic etc. This makes using it feel like a game, and masks the seriousness of potential consequences. Some people have implanted insulin pumps and other medical devices controlled over bluetooth, and a flipper zero user may have no concept of this.
That last bit is absolutely infuriating. Medical device manufacturers are cranking out insecure devices that rely on security through obscurity. No, I don't think people should be using Flipper Zeros to hack someone else's insulin pump. It's also unforgivable that someone should make an insulin pump that another can hack with a Flipper Zero.
I use netcat for legitimate things every day. If someone made an IP server that I could hack with netcat, they should be ashamed of themselves. It's not netcat's fault that their security sucks. Well, same with Flipper Zero.
People use them to essentially DDOS cell phones with BLE connection requests.
That's one of the situations where I'd feel justified in taking a device and stomping it to bits, and I'd support anyone else doing the same.
If anyone does encounter this in the wild with Apple devices, first, install your damn updates because I'm pretty positive this is now blocked, but in the meantime turn on Lockdown mode to keep this from interfering with you.
You might feel justified, but courts would likely disagree.
Apropos of anything else, the FCC regs around the 2.4GHz spectrum are pretty explicit, "Part 15 devices ... must accept any interference that may be received". In their eyes, the device that is flawed is the phone, not the Flipper.
I've been at a conference where someone decided doing this would be amusing. I'm pretty positive there would have been widespread support for addressing the issue with a little property destruction, with the alternative being "Congratulations, you've shown you can't play nicely. Your admission to the conference is revoked, you're blacklisted from our future conferences, and we'll let the organizers of other local conferences know your name and why you're banned from our conference so they'll be forewarned."
As for courts, if this hadn't already been resolved (at least on iOS) I wonder if you could request that jurors and the judge turn their phones on for a demonstration. Given the state of Android updates in the general public, it'd probably still be effective on a significant percentage of people.
I believe there's equivalent language (even for licensed uses) about not causing interference, so probably the Flipper and the phone are doing poorly here.
My understanding, entirely possible that it is incorrect, is that the "not causing interference" is to "authorized services", i.e. specifically licensed frequencies and users/devices, not other users of those "free-for-all" spectrums. But I may well be wrong, in which case I would agree with you.
Agreed. I get why folks on this site repeat the mantra that it's shedding light on insecure hardware, and of course that's true. But civilization depends not on ironclad laws and politics, but on good faith actions. An unhackable society would be a pretty miserable one.
Buddy, I'm from Ukraine and drone jammer and drone early warning schematics are basically public knowledge at this point. Drones mostly use the same sub-1GHz bands, 2.4 GHz bands and 5 Ghz bands that other consumer electronics also use. You can't put this genie back into the bottle. Both radio- and cyberwarfare are here to stay. Y'all just don't know it yet.
After the war there are going to exist a whole bunch of people who know how to deny GPS, defend against drones, build attack drones that bypass primitive countermeasures, spoof mobile networks, monitor the RF space for unencrypted signals, and set up actually secure comms. And not all of them are going to remain completely silent about all of this. Toys like Flipper are going to be the least problematic. Banning it achieves nothing.
This, I saw an anecdotal Reddit post about a guy DDoSing cell phones in a restaurant and showing off to his table. These kind of devices attract the worst people.
These devices attract the very kind of people who cause them to get banned. Sure the device is fine, but not the assholes who want them to fuck with other people.
