“The quieter you become, the more you are able to hear.”
This is the tagline associated with Kali Linux, a Linux distribution used by security researchers, penetration testers, and hackers alike. In the context of Kali and typical penetration testing, the listening often refers to a given internal network and insecure broadcast requests therein, however, interesting or useful traffic and signals are not limited to internal networks.
In this blog post, I am going to be exploring one potential physical security attack chain, relaying a captured signal to open a gate using a device called the Flipper Zero.
The types of signals that the Flipper Zero device can capture falls into the following categories: NFC (near-field communication), RFID (radio frequency identification), Infrared, Sub-GHz, and iButton. Fully explaining these types of signals, their uses, and so on is beyond the scope of this article. Just know that a Flipper Zero (sometimes just called a Flipper) has many tools and can capture and replay a variety of signals easily. This blog post will focus on Sub-GHz and one potential abuse of capturing Sub-GHz signals. Namely, I set out to determine how feasible it would be to capture a Sub-GHz signal from a gate opening key fob.
When the Flipper Zero was initially released, I and many other physical security professionals and enthusiasts were curious about how this tool could be used on physical security vulnerability assessments and covert entry assessments. For those unfamiliar, a covert entry assessment is a physical security assessment in which penetration testers try to gain access to sensitive or valuable data, equipment, or a certain location on a target site undetected. A physical security vulnerability assessment consists of an escorted walkthrough of the target site during which a physical security professional investigates potential vulnerabilities and explains and demonstrates how an attacker would abuse a gap or weakness in the sites and company’s physical security.
While I acknowledge that modified versions of Flipper firmware exist with additional functionality and less restrictions, for the sake of simplicity and to better demonstrate the low barrier to entry for a potential attacker, a standard Flipper Zero was used for this experiment.
One of the primary goals of the experiment was to determine the viability of this physical security attack chain and the limitations of exploitability. The aim of this experiment was to determine the feasibility of using a Flipper Zero to capture a Sub-GHz signal with limited information about the device or frequencies in use. The basic question I aimed to answer was how feasible it would be for an attacker to capture a gate open request and replay it to gain entry to a target site. For the sake of completeness, I will acknowledge that simply tailgating into an apartment complex or corporate site is a much easier method of entry. It is also worth mentioning that different readers will use different frequencies which can affect the effective read or capture distance. For this experiment, we will imagine that the target site’s gate has an aggressive timer that would prevent tailgating. In my experiment, the theoretical target reading device was a Transcore Smart Pass Reader.
After acquiring a key fob that sends a Sub-GHz signal, the first priority was determining the frequency in use. While the Flipper Zero does have a “hopping” feature in which the device constantly switches which frequency it is listening on, for the sake of some aspects of the experiment it made much more sense to just determine and hard code the Flipper to listen on the relevant frequency.
Arguably the biggest factor that would determine the feasibility of capturing Sub-GHz signals was the read range of the Flipper. If the read range was, for instance, less than 1 foot, then that would significantly reduce the likelihood an individual could covertly capture a key fob or similar device’s signal.
Below are the Flipper read range results using a Sub-GHz key fob and with the relevant frequency configured:
- 5 ft – worked
- 10 ft – worked
- 15 ft – worked
- 25 ft – worked (took a few clicks of key fob)
- 35 ft – worked
- 40 ft – did not appear to work
- 50 ft – did not appear to work
Being able to capture a Sub-GHz signal 35 feet from the device sending the signal was certainly further than I expected. After determining the effective capture range for the Flipper and the key fob was 35 feet, I tried to capture the key fob signal while using the hopping feature, as a means of determining the feasibility of signal capture in the event the device frequency was unknown. During this part of the experiment, hopping at 35 feet did not successfully capture the signal. Based on my experiments, 20 feet appeared to be the maximum effective read range for Sub-GHz while using the hopping feature.
Taking a step back from the read distance of the Flipper and viewing a potential attack wholistically brings the conversation back to the frequency. This is a problem that is arguably easily bypassed simply by creating a module or custom script to modify the frequency hopping behavior to set the hopping to stay on a given frequency for an hour and then save any captured signals and rotate to the next frequency. Running this on a Flipper left near the targeted reader overnight, or even for days on end, and then returning seems very likely to work based on the behavior I saw while testing.
The easiest option is to just run the Flipper’s Frequency Analyzer tool while near the target reader. It is worth noting that depending on the location there may be ambient signals of varying strengths which could make the results unclear as to which signal was related to the target device.
If for whatever reason a physical security penetration tester cannot reach or otherwise see a target device’s tag, looking up the product online may be the best option. Enough browsing of eBay and other e-commerce sites and looking at the manufacturer’s website should narrow down the relevant model of the target device.
Another method to find out the frequency a given reader uses is simply looking at the reader device itself. At a minimum, a device’s tag will have an FCC ID, and some devices will also include the frequency on the device.
The FCC ID can be used to look up the listening frequency, as shown below.
Ultimately, aside from the potential logistical issue of determining the relevant frequency and how that may limit the viable capture range, planting or using a Flipper near a gate appears to be a very viable means of gaining entry to a target site.
If you are interested in having a physical security vulnerability assessment or covert entry assessment, please contact firstname.lastname@example.org.