My name is Michael Kozlowski, and I’m a graduate student of Cybersecurity here at Canisius University. This is the first in a series of blogs which will be examining the different ways in which the Flipper Zero can be used as a tool for penetration testing, primarily via repeat attacks of several types of wireless signals, and with its Bad USB capabilities. I’ll also explain some ways by which you can defend against these attacks, and if major security frameworks such as NIST have any standards for defense against these attacks. This first post will be examining the Flipper Zero as a tool to listen for RFID signals and repeat them, and the signal I’ll be attempting to perform this on will be from a key fob for access into a secured area of a building.
Setting up the Flipper Zero to read an RFID signal is extremely simple! Press the center button to enter the main menu, and scroll down to “125 kHz RFID”. Select “Read”, and it will attempt to read from a nearby signal. Place the Flipper Zero on the key fob and it will read the signal being transmitted. You then have an opportunity to name the signal whatever you wish; I stuck with the default “Remote_entry” name for my example. You are now set up to have your Flipper Zero act as a second key fob! To repeat the stored signal, go back to the “125 kHz RFID” menu and select “Saved”. Then select the signal you wish to repeat, and tap the Flipper Zero onto the RFID reader by the secured door and it should open without any issue.
For this type of RFID reader set-up, there’s not a lot of ways to defend against this type of attack. So, the best defense comes in the form of securing the key fob as much as possible. If the key fob is a flat card, consider storing it in an RFID blocking wallet when not in use. If it’s a fob attached to a set of keys, then make sure you are securing your keys at all times, and avoid leaving them dangling out of your pocket. The Flipper Zero needs to be within about an inch from the surface of the key fob to read the signal, or at least that was the case with my sample. So, having your keys in a front pocket rather than a back pocket where a threat actor could attempt to scan the signal without your knowledge would be ideal.
Other use cases of RFID, such as key fobs for vehicles, have additional security built in that are not as commonly seen in secure door access RFID systems. Vehicle key fobs which grant access by holding the keys up to the door, like in Tesla vehicles, can be repeated, but can only be used once. This is due to a rolling code system. Rolling codes are a system by which the key is modified in some way before being used, and they are modified each time a code is used. For example, if the key is a long hexadecimal number, it may be offset by a set number so that a number is added to the key each time it is used. The car keeps track of this as well, so if you use a Flipper Zero to read this signal, it will only work once. Plus, if the original key is used at all between when it is read and when the Flipper Zero attempts to use that signal, it will not work. On top of all of that, when you gain access to the vehicle, you will need to use the key again to use the push-to-start system, which will not work as the key has been offset again. While this does offer security, this does not make it impossible to crack.
First of all, this does allow a threat actor to gain access to your vehicle, which is an issue of itself, even if they don’t have the ability to steal the vehicle afterwards. Second of all, rolling codes are not impossible to crack. Rolling codes are also used in many garage door openers, but the offset of those keys are generally documented and known, so it’s simple to code a script that will add the offset to the key each time before it is used. If the threat actor is able to identify what the key needs to be offset by each time it is used for the specific car they are trying to gain access to, rolling codes can be defeated. This will be featured in a future post, as I attempt to beat the rolling code security system of a garage door opener.
NIST details several ways in which to secure RFID systems, including technical, operational, and managerial controls. A lot of what is said here is essential to securing RFID systems for organizations that wish to implement them, but in terms of actually securing an individual’s tag from being listened to, there’s not a lot here. The main security feature on the list that would directly prevent an attack like this is if the RFID tag includes a “Press-To-Activate” switch, which will disable the tag from transmitting signals until after a button is pressed. Of course, someone could still use the Flipper Zero if they gained access to your tag, but this prevents any kind of situation where someone could read it from a signal out of your pocket or when you briefly look away. That, plus using RFID shielding, which I mentioned above, appear to be the primary ways to secure your key fob.
Credit: NIST, Tom Karygiannis, Bernard Eydt, Greg Barber, Lynn Bunn, Ted Phillips
I hope you enjoyed reading this first entry of this blog series! The next post will be using the Flipper Zero’s NFC reading features, and how it is able to read credit card data much in the same easy and straightforward way that it can read RFID data.