Search This Blog

Powered by Blogger.

Blog Archive

Labels

Showing posts with label Flipper Zero. Show all posts

Controversy Surrounds Flipper Zero Amid Car Theft Concerns

 


In the midst of rising concerns over car thefts in Canada, the Flipper Zero, a popular device known for its penetration-testing capabilities, has found itself at the centre of a heated debate. Canadian officials have proposed a ban on the device, attributing it to a surge in car thefts due to its alleged ability to mimic wireless signals for remote keyless entry. However, the creators of Flipper Zero are vehemently denying these claims, stating that they are being unfairly scapegoated for the country's car theft problem.

In a recent statement published on their website, the developers of Flipper Zero argue against the proposed ban, asserting that it would hinder technological progress and fail to address the underlying issue of car theft. They emphasise the importance of fixing vulnerabilities in security systems rather than restricting cybersecurity tools. Additionally, they highlight the limitations of Flipper Zero compared to specialised tools designed for breaking into keyless car systems, such as signal repeaters.

Alex Kulagin, the COO of Flipper Devices, has reiterated that the device cannot be used to hijack cars. He points out that signal repeaters, readily available online, pose a greater threat as they intercept signals from car key fobs, enabling remote entry and activation of vehicles. Contrary to claims made by Canadian officials, Flipper Zero lacks the computing power required for such exploits, making it a less practical choice for car thieves.

The controversy surrounding Flipper Zero has drawn attention from both technical and non-technical communities. Automotive locksmiths, such as [Surlydirtbag], have debunked the notion that Flipper Zero can be used for keyless entry systems. They emphasise that RF relay-based attacks, which access real keys, have been prevalent for years. While Flipper Zero may be capable of cloning RFID chips in some older vehicles, it is ineffective against modern immobilisers, diminishing its appeal to car thieves.

Despite assurances from the Flipper Zero developers and automotive experts, Canadian officials remain steadfast in their pursuit of banning devices used for vehicle theft. François-Philippe Champagne, the Canadian Minister of Innovation, Science and Industry, has vowed to outlaw Flipper Zero, citing concerns over its potential misuse. However, critics argue that such measures overlook the root causes of car theft and fail to address broader security issues within the automotive industry.

As the debate continues, there are calls for a more nuanced approach to addressing car theft, including greater collaboration between government regulators and industry stakeholders. Proponents of cybersecurity advocate for proactive measures to improve security standards rather than reactive bans on specific devices. Ultimately, the outcome of this controversy will have implications not only for the future of Flipper Zero but also for the broader discourse surrounding cybersecurity and technological innovation.


Xtreme: Flipper Zero can Spam Android, Windows Devices with Bluetooth Alerts


Xtreame, a custom Flipper Zero Zeo firmware has recently introduced a new feature to conduct Bluetooth spam assaults on Windows and Android devices. 

The technique was first demonstrated by a security researcher against Apple iOS devices, which encouraged others to test its possible effects on other systems.

The underlying idea behind the spam is to send fake advertising packets to devices within range of pairing and connection requests by using Flipper Zero's wireless communication capabilities.

These kinds of spam attacks are challenging for the victims since they cannot be differentiated whether the device is legitimate or fake. Also, spam attacks impact the user experience by constantly displaying notifications and pop-ups on the targeted device. 

Xtreme Adds ‘Bluetooth Spam’

Earlier this month, Flipper Xtreme revealed on its Discord channel that “spam attacks” will be included in the upcoming major firmware release. 

The Xtreme team also released a demonstration video showing a denial of service (DoS) attack on a Samsung Galaxy mobile, in which the device becomes unusable due to an incessant stream of connection alerts.

While this latest firmware version is not far from reaching a stable status, the “spam attack” has been included in the most recent development build through a new program called 'BLE Spam,' which can be found on GitHub.

A YouTuber called ‘Talking Sasquach,’ after running a trial of the dev firmware image on his Flipper Zero, revealed that the attack functions as anticipated on both Windows and Android.

Currently, the BLE Spam app gives users eight flood attack options, which include: 

  • Every method combined 
  • iOS 17 Lockup Crash 
  • Apple Action Modal 
  • Apple Device popup 
  • Android device pair 
  • Windows Device Found
Any of these options can lead Flipper Zero to start broadcasting the corresponding Bluetooth packets, causing nearby devices to display connectivity prompts and notifications.

How to Block These Spam Attacks

These spam attacks create more nuisance to the users, rather than a real threat. Since BLE Spam enables users to create personalized notifications, these spams can become more crafty and cunning, contributing to social engineering and other threat scenarios.

These Flipper Zero attacks may cause issues because Android 14 and Windows 11 devices by default display notifications on Bluetooth connection requests. Fortunately, blocking these messages on both systems is easy.

However, users must not worry about these rogue broadcasts, since they cannot directly damage recipients' devices or execute code on them. It is further suggested that users must learn how to stop the notifications in the event of ongoing pranking to avoid wasting time or aggravating themselves.  

Phishing Campaign Uses Flipper Zero to Steal Crypto and Sensitive Data Worldwide


What is the Flipper Zero campaign?

Experts have found a new phishing campaign that targets cybersecurity professionals and hacking enthusiasts. The campaign steals cryptocurrency and the personal information of victims. 

Flipper Zero is behind the attack, it's a portable multi-tool for pentesters, cybersecurity experts, and hackers. The tool is used to find any type of access control system, radio protocols or RFID, NFC, Bluetooth, etc. 

The tool began as a big-hit Kickstarter project but met with various obstacles. Result? Demand weighed more than supply- giving a big opportunity to cybercriminals. Today, experts are noticing various fake online stores that sell Flipper Zero and fake Twitter profiles promoting the stores. One such account uses typosquatting to fool people by cleverly replacing a letter in the spelling because the "L" in Flipper is an uppercase "i." Such accounts are currently very active, providing immediate responses to customer queries. 

Stealing crypto and data via Flipper Zero

People who fall under this trap will in the end get redirected to the phishing checkout page, where they are asked to submit a lot of sensitive data- email id, name, and residential address. Additionally, there's only one way to pay on these pages- cryptocurrency (bitcoin or ether). 

But the experts are saying that the wallets displayed on fake shops are empty, which can only mean two things, either the scammers keep changing their addresses to avoid getting doxed or no one actually fell for the trick. 

The company is struggling to battle this campaign, as it has now reached Instagram as well. The company tweeted: “Dear @Instagram and @InstagramComms, there are hundreds of fake and scam accounts imitating our official Flipper Zero Instagram account. These fraudulent accounts try to fool people and steal money. We can't report them because we are rejected to have a verified blue check mark.” 

What next for Flipper Zero?

The Flipper Zero Kickstarter campaign was last active in 2020, and it was a big hit. Initially, the campaign goal was $60,000 but it received a massive amount of over $4.8 million in pledges. The first users shared their feats on social media, and it received much appreciation from the audience, which pushed the production even more. But the production hit the brakes when PayPal held $1.3 million for months. 

In September 2020, the Flipper Zero team said that PayPal decided to hold the amount without giving any reason and later suspended the company's account, compromising the entire project. In November 2020, Flipper Zero with the help of a legal team managed to get back around three-quarters of the fund ($980,000), but PayPal kept around $350,000 to "mitigate possible claims."