After what seemed like forever (thanks US Customs), I finally received my Flipper Zero and I absolutely love it. However, I'm sure there are many organizations out there absolutely terrified that someone might use one for nefarious purposes - and rightfully so given some of the TikTok videos where people use brute force attacks to gain access to restricted buildings. Spoiler Alert: Most of those videos are actually fake.
So, I started looking at my Flipper a little more in depth, and thought how can we develop methods to detect Flipper Zero when it enters your environment?
Well, it seems that the Flipper uses Bluetooth Low Energy (BLE) to communicate with your phone, allowing you to program and even control the Flipper remotely. Fortunately, all Flippers come from the factory with a default name "Flipper <random>".
So the easiest and quickest way of detecting Flipper Zero, since most people will keep BLE enabled, is to scan for Flipper BLE devices.
So using the free Android app creator Thunkable, I created a basic proof of concept app that does just that.
The app is available on Thunkable's public app gallery. Please feel free to take the methods used in the app to expand its detection capabilities, such as searching for BLE device ID signatures, etc. I won't be publishing this to Google Play as it's a very basic proof of concept, but if you develop it into something more full-featured, please feel free! If you'd just like to play around with the app (which is probably still buggy), my latest version is here.
Of course, this doesn't actually fix any of the security flaws which are revealed by Flipper Zero, so organizations would do well to focus on that, instead of trying to detect the Flipper. It also doesn't detect Flipper Zero if the Flipper has custom firmware and has been renamed, or if the Flipper's Bluetooth has been disabled. Nevertheless, it's a fun little proof of concept project, and works to highlight how Flipper Zero can be detected in the wild.
Ken is a Cyber Security professional with over 15 years experience. The opinions expressed in this article are his own, and do not reflect those of his employer or clients.
No comments:
Post a Comment