Like it or not, this stuff being public and available will only work to allow people to learn the vulnerabilities of their technology so they can better secure it. The most dangerous hacking devices are the ones not known of much by the public or at all. Like the Stingray phone trackers used by police for some time before they were exposed.
@@kevinslattery5748 youtube like to shadowban comments sometimes for whatever reason. They make it so it looks like the comment went through on your end but nobody else can actually see it. That might be why it’s bugged.
@@nemod.8310 No, it's not thar crazy. What is crazy is that safe maker employing inherently unsafe tech for an application that demands high security. The safe is effectively worthless.
The efficiency of this *Deep web experts on the WEB* is next level. To juggle walk throughs of various angles on the topic delivered to-camera, different content per topic from various folks underneath the umbrella of the track list of the larger big band concert itself is engaging and refined. To make a dense access like this so digestible is really something. Awesome work *Deep web experts on the WEB* !!
Hey ppl, I'm a retired computer/IT person, Yet I still find *sentinel Recover* so informative and straight forward. Thanks for your advise and helping the people...........Great work and love watching.
I was looking at this piece of tech when they stated their kickstarter. It sounded like a great idea but was really ambitious at the time. I'm glad they were able to actually bring something to market.
Stuff like this is why I'll never go for the whole "smart house" thing where everything including your damn coffee maker is a computer or connected to the net. Too many vulnerabilities too many exploits too many surveillance devices.
Having a Smarthome IS NOT the problem. Using devices that depnd on a cloud or internet connection is the problem. Everything demonstrated here is interesting, but all requireschaving relatively close proximity. The point being, a smarthome is nothing to be afraid of, but make sure that devices that only need local access for control. Not Alexa and Google Home, and know how the devices can be controlled.
@@cjramseyer I'm just sketched out by any kind of wireless devices because it means they can still be manipulated by other Wireless signals people always find a way to exploit any kind of remote connectivity even if it's not connected to the internet directly necessarily
True you could catch someone’s house on fire or rob it while they are away or worse if you think too hard about it. But I would agree that’ll not catch on with me either for the reasons you stated
I am a college teacher that teaches electricity. I bought this today and was playing around with it in class with my students. They loved it and actually really learned alot about the importance of EM frequencies.
This guy : "See that's bad idea" The lockpicking lawyer : "Here we have a demonstration of the hardest way to open this safe. Now I am going to use a fork..."
This is really useful for many things as well. I saw someone copy a card onto some of those blue tags, so they can have extra keys to their appartment building, for family and etc
I was thinking how useful it would be to have a spare set of apartment keys, or a garage key in case you ever lose or forget yours. It definitely has its uses that don't involve doing bad.
The efficiency of this *sentinel Recover* is next level. To juggle walk throughs of various angles on the topic delivered to-camera, differnet content per topic from various folks underneath the umbrella of the track list of the larger big band concert itself is engaging and refined. To make a dense taccess like this so digestible is really something. Awesome work *sentinel Recover* !!
I've been waiting to see more of the flipper. I tried pre-ordering one on the website and for some reason I was not able to. If it's perchable right now I would buy as many as I can. This is such a useful tool. I had a friend who had one and he let me test it out and he can bypass almost anything.
Problem with RFID blockers is a lot of them work all right until somebody puts a parking garage overhead scan unit in a laptop bag. A lot of blockers can be read straight through with such a device, it just depends on how sophisticated of an attacker you're worried about.
Would the issue there be the device in the bag's signal is too strong for the bag to contain? Man I wish I had goggles that let me see as much of the electromagnetic spectrum as possible at once.
I have an app that visualizes some radio and microwave signals and I have a thermal cam, seeing UV spectrum can be done too but I'd like to integrate it all into one view
@@zaa1414 I'm referencing a defcon presentation. I can't remember exactly who was presenting, anyways it's was made into a portable rig that they put into a laptop bag. It didn't really need a ton of power and it was set up to dump the credentials of every tag it could interrogate. It's definitely the sort of thing pen testers make. No it would be quite unpleasant to be around any sort of RF source strong enough/(at the right frequencys) to damage the materials in a laptop bag. Let me put it this way, the microwave heats things using radio waves (at about 2.4 GHz) using something like a kilowatt of power. The food containers in the microwave are made out of very similar materials as a laptop bag. Those readers are probably operating at something like 1 watt at the absolute maximum maybe 5 at a much lower frequency. There's Federal limits on what you're allowed to put out into the radio spectrum. I have absolutely no idea how much power you would have to output at that frequency to get material degradation and a laptop bag. but I know I don't want to be near it.(I think it would probably be easier to measure it in power substations)
The efficiency of this *TECH SAFE GUARDIAN* is next level. To juggle walk throughs of various angles on the topic delivered to-camera, differnet content per topic from various folks underneath the umbrella of the track list of the larger big band concert itself is engaging and refined. To make a dense access like this so digestible is really something. Awesome work james!!
Just placed my order using your code, hopefully you get a kickback from it.. Love your content, it's hard to find someone who's willing to ask the right questions to the right people and share what they've gained from it.. You Rock David!
That's actually kinda scary that these things are just kinda out in the wild, but that also means that more people like you are able to teach us more about them so we know how to protect ourselves.
There is absolutely nothing special special with this thing, RFID scanners/copiers/writers are available for decades, same as the universal remote controllers. And it can mimic a wireless keyboard/mouse. *Facepalm. The only difference is that this looks like a toy with a dolphin animation. And notice this thing only works if you have the master RFID tag in your possession to copy it. You could do that ten years ago with cheaper hardware. Notice the lack of mass creditcard scanning scams in the last ten years. You can scan my creditcard but you can't use that for paying anywhere so it is useless, but hey you can open my hotel safe after I let you scan my creditcard ofcourse and I let you in my hotel room wafter I told which room... in which hotel. This thing is total bullshit and it's only function is scamming wannabee "hackers" who don't have a clue out of their money.
You should've explicitly mentioned that this doesn't allow you to clone payment cards, the CSN/UID of the credit card have nothing to do with contactless payments, Flipper Zero cannot access the bankcard data. Contactless payments requires a fully encrypted handshake where the PoS sends an encryption key which is encrypted or signed using the a key held by the issuer the card would only transmit the card details if it successfully decrypts/authenticates the PoS key and those details would ofc be encrypted using the PoS keys. Whilst "contactless skimming" is possible it's only possible with valid PoS terminals, unfortunately it's fairly easy to get the PoS contactless reader and account needed for it and the scams rely on flaws in the KYC processes of payment processors such as Square to achieve it. Contactless EMV transactions are by far the most secure method of transaction we have right now even more so than chip and pin and there are no known direct attacks that impact these trasnactions.
This, and it's also nothing new. I can even copy or emulate nfc uid with my smartphone. Much more interesting ist the convince to copy 433 MHz signals often used by garage doors and such
That's not quite accurate. Bank cards will happily send lots of information to anyone that asks (the EMV spec is public, if you're interested). POS systems do use RSA and signed keys, but only to verify the card is who it says who it is, so cloning is still impossible
@@edenjung9816 You can't and if ever a device like that would be available you wouldn't want too unless it's an approved contactless payment device such as your phone or smart watch. Cloning cards is still a criminal offense even if they are your own cards. This would eventually get noticed in store and on public transport and cops can get called and good luck explaining to them what a Flipper Zero is. And even the criminal case would go no where when your issuer finds out you'll be fucked and good luck getting a chargeback ruled in your favor ever again for your entire life that is if you would be able to get another card issued.
@@jetseverschuren It's quite accurate, no cardholder data is ever sent over the wire before the card authenticates the PoS and any cardholder data sent by the card is always encrypted. If you have control over a PoS that has access to issuer keys or the issuer network and can trigger a contactless transaction and the PoS does not uses P2PE you will get enough CHD to make additional transactions but cloning the EMV chip is impossible. However I don't know of any contactless PoS's at least that are attainable to regular merchants that do not employ P2PE which means that the merchant never sees any CHD at all as all the transactions would be end to end encrypted and tokenized. Older Chip and Pin PoSs were not required to use P2PE however most if not all EMV terminals from the last 5 or so years are P2PE terminals. Some of the larger merchants such as huge retailers might have been allowed to retrofit their PoSs with contactless payments without it being P2PE but any retrofits I've seen were usually a separate payment channel and were P2PE. All the "IOT" card readers such as those from Square and SumUp and the likes are all P2PE so you can only do charge skimming on those since as an attacker you'll never see any card holder details.
UID emulation is not nearly enough to emulate a yubikey's cryptographic functionality. You would need to extract private key information which requires much more extreme tactics. If you were using your yubikey merely as an RFID tag this would work, but that's not what people use yubikeys for
I remember having homebrew on my PSP that used the IR to be a universal remote. Same method to train it so I had all my friends remotes saved as different profiles. Then I didn't have to look around for one when we were chillin. It was great at home as well, since we had so many IR remotes. I could quickly switch from playing my game over to other tasks, similar to ALT + Tab on PC.
You can read only what's public from the credit card's rfid and that's usually what is already physically written on the card (except the CVC of course). You can do this with any phone supporting rfid (most of them nowadays), but that's not actually cloning the card. The chip on the card is a minicomputer with cryptographic capabilities and that allows to make payments secure.
I would say especially people. Security is a placebo... Okay, so don't lock your doors, might as well just leave them open in that case. There are certainly things that can be and are secure in the world.
I was originally extremely concerned about this piece of tech. Now, having learned about it, it's not as threatening as it looked. You have to have access to the original key sets and cards to copy for the ball to even start rolling. Just be careful with your wallet, as we have all been told since the dawn of wallets.
@@RhythmEmotions Yes. There wouldn't be anything stopping someone from doing that. That's why it's important to have an RFID blocking wallet. Do keep in mind that with this device, you would need to have the device extremely close to a card to copy the data. Many people carry multiple cards in their wallets. It would be very difficult for someone to know what card they are copying without removing the card from the wallet and scanning it. For example. Someone could be touching the device to someone's back pocket, and be copying someone's bus pass, or someone's hotel room key instead of their credit or debit cards.
If a safe doesn't have a knob/lever/keyhole then it's likely going to give the user problems. With that said, the safe used in this demo can be considered complete garbage even before David did anything to it. Casually shopping for "safe" devices online (7 years now?) has resulted in hundreds of negative comments regarding 1) junk quality, 2) the inability to open the thing even with proper clearance [a huge complaint with biometric fingerprint scanners], and 3) sometimes opening way too easily due to bad firmware or flawed physical internals. I think once upon a time Sentry had a model that could be opened with proper magnet placement, no code required. My primary has a digital pad, a separate battery backup box, keys, and can be alarmed. Get yourself something with any combination of these features and bolt it to the wall/floor.
I know this is a stupid use but for someone that has a bunch of keycards for work or for personal use it would be cool to have one device I can use to unlock everything, as well as a good trick to have a random rfid card I use unlock something unexpectedly.
This is exactly why I bought one. So I can make a new one and not have to pay $35 each time to the company for a new card. Oh, and all the other cool things it does will be worth the hundred and change.
You don't need to give them your card, they pass you the reader, pay cash in places you find sketchy and you should be using credit cards instead of debit's by now.
It just kept glitching on me when i tried this video tutorial. Thank you for this video firstly & Secondly thank you *sentinel Recover* I can’t get to the part of video selfie meeting you was a blessing in disguise. Keep up with the good work a lot of people will be needing your assistance in the nearest future.
I saw the kickstarter campaign and figured it would be something that would be quickly banned or never allowed. After they blew wayyyy past the goal I ended up snagging one on preorder. After having it a short while I ended up jumping on a restock early on and now have a backup. But being an A/V- IT tech this thing is extremely valuable. When you setup customers with a universal remote they lose the individual device remotes that are sometime still needed. But I have every ir device I would ever need in my pocket. I was able to bypass the need to buy expensive programmed rfid badges, as I now just buy cheap t5577 tags that can emulate a range or rfid protocols and write them for the employees. The bad usb for automated installation of programs for remote assistance for IT clients. I’ve even copied the company garage door with the subghz. This thing is extremely powerful and even more so with custom firmware. And it’s cool to see you made a very informative video on it. I love your content and it has helped stuff me further down the rabbit hole of cyber security. But as a yubikey user myself I’m happy to say, That it can read/copy/emulate it, but it sees it as an unkown and assumes it’s nfc type a so the phone won’t read it as a key. Or at all in the app.
@@binary_badg3r i was a noob when it first hit on kickstarter. It was marketed as a “hacking multi tool” I just figured with it’s power and ease of use it would have been something that the fcc would’ve pushed back on. But I guess I was thinking they were gonna act more like the atf and a cool gun. But in the end I realized it’s basically treated like a computer. Sure it had the potential to do a lot of bad. But it all depends on the intentions of the user.
@@TheCrash0veride yeah its not hi tech by any means. You can make your own with parts from your local supermarket. It's open source to so you don't really have to do any coding
@@thePyiott I wish I could find components like these at my local supermarket. Radio shack died over here so there’s no electronic hobby stores anywhere now. They want to do away with the right to repair.
Honestly I'll buy one just because I can have a single device to do all those things. I'd copy my own remotes and cards, and use it to copy remotes in hotel rooms and so on. There are a ton cool legal and smart uses of this to copy the tools you would normally have access too into a single device.
If Flipper can be remote controlled than all somebody has to do is get it into your bag or glovebox or whatever, then they can use the various functions to suck everything they want out of your wallet/car/key-fob etc, then they just have to get the Flipper back - with probably won't be too hard of they 've cloned your keys.
For the rfid you can use just a phone with nfc, for the IR you can also just use your phone, bluetooth you can also with a phone with bluetooth. Unfortunatly, I dont know if there is a way to use a phone as a bad usb, but bad usbs are pretty cheap, you can buy one for less than 15$
That's pretty much what I was thinking. My old Galaxy S5, I think, has everything I need, other than the software it'd need...but I do have an IR remote program on it, which is the primary reason I keep it, since newer Galaxy S phones don't have IR anymore. I've had fun with using the remote app at bars, especially when someone decides to put some garbage on the nearest TV. I hadn't heard of "bad USB" devices before, but then, my interest in such things has waned over the decades. I suppose I'll have to look into the subject, now I'm aware of it.
The Flipper Zero supports a range of features including the capture and replay of Sub 1 Ghz signals. You would need a PandwaRF or another device to capture and replay these types of signals with an Android phone. In the first part of the video I showed some clips about what others have done with the Flipper Zero (unlock cars, open boom gate, tesla etc), but as mentioned I did not show all it's capabilities in this video. See their website for more features such as iButton, GPIO etc
@@davidbombal yeah, I know that, I just saw lots of people saying that they whould like something like this gadget, I was just showing that they don't need to spend that much money to accomplish the examples that you showed on the video. The tech in that gadget is amazing, but for most people a phone whould be better xD
You can do most of it on an iPhone too. I don’t understand the fuss about this product, it’s all stuff that has been done for years with much cheaper products or often with the phones we all carry every day anyway. Seems like a complete waste of money to me.
@@maniaksgaming6739 haha. Nice try. More accurately, I’m someone in the trade who understands these products need to be disposable or more undetectable.
@@ChrisSmithy Can you give examples as to how? Do you need a rooted phone? I've been trying to emulate some work cards and tried a few apps, can't seem to find anything to emulate. I have Android
If you have normal access to a building where everyone uses rfid to access it. You can walk in close enough to another employee and gain access to the building. So you do have to be careful.
There is no doubt that you will rise fast at the apex of your career *THE TECH SAFE GUARDIAN* . Because you are a very intelligent, smart, hard worker and your work ethic par excellence. Keep going People like you take the IM out of Impossible by becoming PRO at tackling Problems. You Rock!
Big thanks to Lab401 for sending me some cool toys :) // Discount // Get a 5% discount using my affiliate link : lab401.com/r?id=42cm8b and/or use code DAVIDBOMBAL The Flipper Zero must be one of the most in demand hacking tools of 2022. A fantastic RFID / NFC / Infrared and more tool :) Flipper Zero: lab401.com/products/flipper-zero?variant=42927883452646 // Video mentioned // 2 seconds to open a safe: ruclips.net/video/X990ZNA2Tog/видео.html // Great resources // Awesome Flipper: github.com/djsime1/awesome-flipperzero Bad USB: github.com/nocomp/Flipper_Zero_Badusb_hack5_payloads // Lab401 // Twitter: twitter.com/Lab_401 Website: lab401.com/ RUclips: ruclips.net/user/lab401 // David's SOCIAL // Discord: discord.gg/davidbombal Twitter: twitter.com/davidbombal Instagram: instagram.com/davidbombal LinkedIn: www.linkedin.com/in/davidbombal Facebook: facebook.com/davidbombal.co TikTok: tiktok.com/@davidbombal RUclips Main Channel: ruclips.net/user/davidbombal RUclips Tech Channel: ruclips.net/channel/UCZTIRrENWr_rjVoA7BcUE_A RUclips Clips Channel: ruclips.net/channel/UCbY5wGxQgIiAeMdNkW5wM6Q RUclips Shorts Channel: ruclips.net/channel/UCEyCubIF0e8MYi1jkgVepKg Apple Podcast: davidbombal.wiki/applepodcast Spotify Podcast: open.spotify.com/show/3f6k6gERfuriI96efWWLQQ // MY STUFF // www.amazon.com/shop/davidbombal // SPONSORS // Interested in sponsoring my videos? Reach out to my team here: sponsors@davidbombal.com flipper zero flipper flipperzero hack hacking rfid nfc bluetooth infrared radio gpio
Anything that can take, manipulate, or use technology in ways it was not intended to be used, legal, innovative, or nefariously, is a hack. If one devises a way to warm their flip flops in a toaster without burning their house down before putting them on, it's a hack.
Yeah, this got me to dig out my second, unopened one and play with it, because my first is in the glove box of my car. I had lots of plans for it originally, but the pandemic kind of put the kibosh on almost all of them. It's nice to have, but it turns out I don't use it as much as I expected. Still love it, and am very happy I backed it.
Thanks David. Excellent review and excellent product. Your video underscores the need for storing RFI devices inside some sort of RFI blocking devices, be they wrappers and bags.
Really would love to get my hands on one of these, not for anything malicious but to fulfill the child hood dream of having one remote to do everything like in the TV show Hey Arnold
Haha there's thewandcompany that used to make epic sonic screwdrivers from doctor who, I had one the 10th doctor's universal controller sonic, epic quality and did a lot of trolling with it, I almost got 12th doctor's sonic which is even betterm had an extra functionality of emmiting IR at random to "guess" what signal a TV for example used to shut it down
I personally don't see view as a new threat - people have been attacking door systems etc like this for years. The difference is, now this technology is placed more easily in the hands of everyone instead of it being restricted to power users or hackers. There is a long history in information technology of trying to achieve security through obscurity. Flipper Zero is merely exposing bad design and bad implementation in a viral way where suddenly, people talk about it. There is no magic, it doesn't suddenly break systems that were secure before. But if it makes people aware of the flaws in many tech products and puts pressure on the manufacturers to put some actual effort into the design of their products, I believe that's a good thing.
If you have physical access to the cards you want to emulate, you’re already most of the way to using them anyway. What’s the big deal about an rfid reader?
u can scan someone's else card from their pocket for example. So basically someone can grab your card info when standing behind you in a line in store.
@@JamesPhillipsOfficial If you believe some in the industry, this is rare. And this (internet): "Most credit card chips are not RFID-capable. Today’s chip-embedded credit cards don’t actually transmit any information that could be captured without inserting the card in a reader."
@@sadskalmar6714 yeah, good luck with that. You have to know where the card is exactly, and be able to sneakily get the device in close proximity, while the target is moving. All that without raising suspicion in the target and any bystanders. Furthermore, people usually have multiple cards in their wallet, which usually makes reading them via NFC impossible.
You are NOT reading credit cards, it just reads the UID of the chip. Try using you passport to lock the safe, it's going to work like every other NFC chip. The ID of the chip is always the same and has nothing to do with credit card security or anything similar.
Exactly what I am thinking, its simply a software problem. All of the devices with security issues just need to stop checking that the rfid devices has the same ID, as clearly thats not safe anymore, and start checking that the rfid device contains some sort of secret
So fun when everyone and their dog does a flipper zero tutorial and then over night they are being banned from online sales. THANKS SO MUCH FOR THIS!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
I believe your android phone can do most of the stuff that the flipper zero does. You just need it to have nfc and Bluetooth as hardware +Linux or a custom rom for android with open root.
This channel is the sole exception where I haven't skipped the promo ads. Your finesse in effortlessly integrating promotional content within your videos is genuinely impressive. Sometimes, it takes a moment to recognize that you're endorsing anything; I commend *sentinel Recover* for your adept execution in this aspect
The copying of cards and stuff was interesting but not that worrying as it seemed like you have to touch the card with the device before it can read it , if it could read cards at a distance away it would be scarier in my opinion
@@pyro23431 contactless payments are limited to a certain value and each RFID payment code is unique for each transaction. Someone who bumps you could maybe steal your 20-50 bucks but that's way better than actually stealing your card.
Probably only works in the most basic cases, e.g. replaying RFID info since most RFIDs and NFC protecting things like banks cards will have challenge / response mechanisms.
Yep, I almost laughed out loud when he said you might be able to emulate yubikey for 2 factor. This guy's videos are great, but sometimes you gotta wonder what they think some of this technology they use actually does.
@@meateaw He just flops an RFID lock on the table like LOOK guys! I mean come on. flipper nfc/rfid is so limited that besides cloning your mifare tag or nintendo amiibo it's practically worthless
@@wrongtown exactly, it's a super simple protocol that can't be cloned by copying the NFC because it uses a challenge response mechanism that never shares the private keys.
This device i feel could easily be converted or installed into a Android phone i feel to make it less conspicuous. And maybe even expanded upon since it would also be a phone, imagine having kali nethunter and flipper zero run at the same time?
With the non-standard firmware I can capture raw from a car key fob and replay it, but it doesn't actually break the encryption. If you know anything about rolling codes, you know how limited this can be.
Man sometimes I think how could anyone do something in a place they're not allowed to be when security cameras are now either decent enough and extremely cheap, very very good and reasonably priced, or expensive but you could zoom in to a detail half a pixel wide at least 130 feet away that was there 8 days ago. But then I see tech like this and understand there's still a balance between offense and defense.
What happens if you have 2 or 3 credit cards stacked together like they would be in a wallet? Would it still read one or all of them, or would it get confused?
this device is awesome, but i managed to build myself a simpler version with the exact features that i wanted and it was much cheaper and is not restricted (some frequencies got removed from flipper zero). mine costs under 10 bucks and works at least as good as flipper zero (some features are missing of course). thanks for sharing the experience with this device :)
Hi, do you mind sharing details?? I'm a computer engineering major and figure I can put one of these together myself as well.., the only ones I can find online are $300! 😰
the hardest part was programming the microcontroller. flipper zero made the source code open source but i had to figure out a lot of stuff on my own. building it wasnt too hard. you juat need to buy a 1-1000mhz antenna, a rfid reader and a 2.4 ghz antenna and connect the stuff with a decent enough microcontroller. i bought everything from aliexpress and i think it was just 10 bucks for everything. building it took 3 days and programming took about 3 months (with 1-4 hours a day).
@@AntonioAugusto1010 yeah its more about the fun and education of making it. but now i could easily mass produce it and it would get cheaper than buying it ;)
Awesome work, *TECH SAFE GUARDIAN* ! It's so satisfying to see you putting in the effort to stop those shady characters. Protecting the public, especially the elderly, from those despicable con artists is crucial. You truly deserve recognition and appreciation for keeping us secure. I'm thrilled for you because you're my sibling. Your accomplishments definitely make you a strong contender for the Nobel Peace Prize. Keep up the outstanding performance!!!!!
I have a rather peculiar question that might be kinda obvious. But if the flipper zero can emulate a card in theory couldn't I use it as a more secure way to store my own personal cards?
There is no doubt that you will rise fast at the apex of your career *TECH SAFE GUARDIAN* . Because you are a very intelligent, smart, hard worker and your work ethic par excellence. Keep going People like you take the IM out of IMpossible by becoming PRO at tackling PROblems. You Rock!
@alekos xainas as with most "hacking", it's social engineering that gets you to the keys, but you're mistaken here about buying stuff online; the RFID signal from a card isn't going to contain card data in an easily accessible way, probably hashed and irretrievable
@@BoraHorzaGobuchul so there is no need for rfid protective wallets, just put 2 cards together. rfid wallet industry hates them for this one simple trick.
HackRF has really taught me a lot about vulnerability of today's devices along with long distant signal testing with a Yagi and location finding of interference signals using 4 antennas and some mixers with LO shifted a few khz on each antenna to get a direction of a signal Fox Hunting RF. It's very handy for testing and can build many things with GNU software to decode signals. Very capable and extensive device. The Dolphin does things a bit quicker and requires less know how which makes it desirable for the lazy ones not wanting to learn how it works🤣 but still handy in a pinch. Hackrf one for the hackrf still needs more options and bugs fixed and it will be more capable in the future.
Just wanted to share how my AirTag smart wallet saved me from an RFID hack. Its built-in RFID-blocking shield protected my cards, and the Find My app on my iPhone helps me locate my wallet.
Could you share an example of how it saved you from such an attack? It would be helpful to hear a specific instance of how the RFID-blocking shield worked for you. Thanks
@@olegj285 sure bro, a few weeks ago, I was at a busy mall and felt a strange sensation in my pocket. After checking my wallet, I realized that someone was trying to scan my credit cards using zero flipper
@@Adamlogen12 Wow, that's crazy! I'm glad your Air Tag smart wallet protected your cards from that kind of attack. By the way, where did you get your AirTag smart wallet? I'm interested in investing in one myself, and I'm curious about where people are finding the best quality
The concept is awesome. The dolphin idea is a reference to the cyborg dolphin from a short story of William Gibson, people might recongize the reference from Johnny Mnemonic.
This device is pretty cool and has some amazing capabilities. Regarding the card reader and emulating a cc or key fob - how close do you have to be to the device in order to clone it? As with many vulnerabilities, if you have the original (CC or key fob), why bother cloning? Great video and always a fan of showing people that what you think is safe, probably isn't!
Well I can definitely think about ways for cloning to be useful. For example let's say you visit a hotel, you can grab the opener card and come back week later to pick up anything you wish from the room from the next visitors with your very own key.
@@luimu I absolutely agree that the tool is amazing and has many uses. Hadn't thought of that use case but would hope that hotels encrypt the current guest name with the room number. As always, we security experts can never anticipate all scenarios.
@@RohxAirsoft Fortunately, that is not how payments work. In the demonstration in this video, the card simply reported its UID to the reader. The problem is that this is all that the safe requires. Smartcards can actually do much more than just report their UID; they can essentially run applications like any other computer and do cryptography, albeit in a much more reduced capacity. In a payment scenario, the terminal and the card would go through some protocol where the card can prove its identity without ever revealing its private key, so that it cannot be cloned.
Reaally cool device I'd be interested for the original msrp but I also feel like in terms of hacking, it's pretty impractical seeing as you have to intercept most signals in order to duplicate them. Unless the fuzzing functionality allows you to brute force a signal?
@@KeyonKey Fuzzing is a type of vulnerability testing in which you throw a bunch of different permuations of inputs to a program or service to see how it responds. In the exploit world it mostly boils down to trying to get a text input in a program to trip up and overflow the memory. They do this by figuring out vulnerabilities in the different functions that get called that work on the text you inputted. if an overflow occurs then the attacker can append "shellcode" to the text which is operating system specific machine code. in the context of fuzzing here I think I meant like brute forcing or running through a bunch of different frequencies on a receiver to see what opens a parking garage gate for example.
99% of us are shielded by anonymity. As a result, RFID emulation to access locks will be a highly specific use case of the gadget. However, I am confident that WIFI and Infrared emulation will be its primary application.
When you are out in the physical world, your identity is plainly visible or easily discovered. If this or a similar tool can read your mobile phone number while copying you key fob, they can catalog the keyfob as related to the phone number. A later online search will give them a short list of addresses that the keyfob can open. A ealk through a street or train will gather a pool of victims and they can choose the most valuable for silent break in the next day.
To be honest I have seen videos of Android phone performing a "skim" of someone's credit card down a elevator, they just used NFC and the right app. So the tech of this device is not new at all, it's just a different form factor
@@BoraHorzaGobuchul Yep it can also speak BT and USB, like any smartphone can do. Older Samsung devices (Galaxy S4 to S6 for example) that are way cheaper than the flipper could even speak IR in case you want to control your grandma's old TV.
@@JanBebendorf It can also read a fairly wide variety of security devices. Your phone can't read or write an iButton, nor can it access the iButton reader. Your phone may only support a limited set of NFC and/or RFID implementations.
The Flipper Zero supports a range of features including the capture and replay of Sub 1 Ghz signals. Please explain how you could get an Android phone to capture and replay Sub-1 GHz signals without a PandwaRF or another device? For example capturing capture car remote signals and replaying those. In the first part of the video I showed some clips about what others have done with the Flipper Zero, but as mentioned I did not show all it's capabilities in this video. See their website for more features such as iButton, GPIO etc
We need more immeasurably wise and compassionate humans like you on this planet. Thank you for sharing *sentinel Recover* , James. I bet I'm not alone when I say this video found me at the perfect moment, and there are a lot of things here that I needed to hear right now.
@@nicolasmfa There is support for some features, such as copying the nfc details of a card, but probably not the “Emulate UID” feature, from my personal experience.
Could someone emulate the emulator with a second Flipper? Like if you're using it legitimately for ease of use, what's stopping someone from stealing all those scripts?
You received 1 of 3 things from the YubiKey scan. 1 - YubiOTP code (default) ex. ccccccllfvvibdbtbgttdgdrjnvcebdtgfcdrjrunnjf 2 - Static password 3- HOTP code ex. 72345924 FIDO and PIV would be running a challenge over to be signed by a private key on the YubiKey. The Flipper would not have access to the private key. None of the the OTP codes from NFC scan are time based so they all would be valid. If, however, the user used the next code before you, yours would be invalid (except the password). Thanks for the video. I was wondering what the all fuss was about this. Seems like the form factor and ease of use in a single package is what it is. I also see that it has some GPIO pins on the top for a few more advance use cases. Only critique I have is that you shouldn't leave people hanging on YubiKey security. If you mention something like that you should take the time to close it out immediately or not show the content.
Thank you so much for the information, this is absolutely insane that a single device can do all these things. And even though it is understood that this video is for demonstration only. What comes into mind is: what bad actor or criminal uses this type of device for malicious purposes, what kind of practices or techniques can be applied to defend ourselves from such a variety of attacks, which are kind of in between the physical and information type of attacks. One more time, thank you for your work
Most bad actors already have made a device like this. For example I have an rfid reader from a car parking lot, which can scan straight through the a rfid blocker to a mini pi. Even though it takes time to scan then put the data onto a fake card/transmitter, its super easy to do after its done.
It is not insane. It is reality. You only need a few chips to cover all this spectrum. Anyone with minimal motivation can do these same things with freely available consumer electronics. The rfid stuff can likely be done by any cellphone with rfid built in. The issue is not the device, the issue are the vulnerable products multiple industries have ignored for years. They made devices with no security. The real solution is to add on security with a way for the owner of the car and only them to bypass or authenticate. Adding security without an owner bypass or authentication api just increases the chance that a modder trying to do something legal breaks the security to tinker with his owned property. Comma ai is a good example. They need to plugin to the canbus to add self driving features to different models of cars. Toyota slaps on encryption that the owner of the car has no bypass or authentication method for, so their is an effort to break the security which may help thieves. If car makers ensured owners had a bypass to security, then no one would worry about cracking the encryption and less scrupulous people wouldn't get to reuse legal modder bypasses to steal cars. Don't expect fixes because device makers won't give owners apis they can use to bypass security. So as they add security to devices, modders will crack it all.
Like it or not, this stuff being public and available will only work to allow people to learn the vulnerabilities of their technology so they can better secure it. The most dangerous hacking devices are the ones not known of much by the public or at all. Like the Stingray phone trackers used by police for some time before they were exposed.
or tiktok skids making people lives worse for stupid likes and validation online
Apparently in the USA a shipment was intercepted by customs but then released to the public.
Where's the 2nd comment bad YT?
@@kevinslattery5748 youtube like to shadowban comments sometimes for whatever reason. They make it so it looks like the comment went through on your end but nobody else can actually see it. That might be why it’s bugged.
@@nemod.8310 No, it's not thar crazy. What is crazy is that safe maker employing inherently unsafe tech for an application that demands high security.
The safe is effectively worthless.
My favorite part is the programmer put so much effort into the dolphin animations.
duh because its such a bs device lol you need the other device for it to properly work. it needs to be able to read a device to use its properties....
Thumbs up from dolphin!
YET HE SAYS IT STILL NEEDS TO BR REBOOTED OFTEN
That's another feature that made me buy one!
Looks like some old Pokedex animations.
The efficiency of this *Deep web experts on the WEB* is next level. To juggle walk throughs of various angles on the topic delivered to-camera, different content per topic from various folks underneath the umbrella of the track list of the larger big band concert itself is engaging and refined. To make a dense access like this so digestible is really something. Awesome work *Deep web experts on the WEB* !!
I love the UI on that thing, cute yet so incredibly powerful
the dolphin is a good choice
i wanna get it just for the UI alone tbh.
(and then mainly use it as a secondary backup remote or near radio keyring)
The ui is just a dolphin and scrolling text. Just say you like the dolphin; the text is soo effortless.
@@lonnpton5239 It's genius, dolphin was perfect choice because of echolocation and sounds
@@ArcYT yes and its big brain
When something like this gets to the public, I always wonder what kind of devices are out there that we haven't even had a glimpse of yet
Tons. You don't even want to see the ones the government has.
@@tigreactivo517 I mean that the predator drone was a thing in the early 1990s is already frightening enough - tbh I feel like I don't even wanna know
Like the USB cables with hacking software in the cable
So many!!
Universal remotes are pretty high tech, the infrared is straight bussing yo
As an engineer, the newest piece of tech in my house is a printer and I keep a loaded handgun incase it does something unexpected lol
"Low on ink"
Can never trust those printers 🤣
damn right brother stay woke lol
It's been awhile since I've heard that joke
I’m watching RUclips on my printer too!
Say what you want about the device but I love the charm and personality it has in its software. Now that’s someone who puts love in their product
i wonder what the minds of the people who create these devices are like.
@@roastytoasty8559 the are black hats who think it's white
@@roastytoasty8559 smart. They are smart
@@ALCRAN2010 But extreme degenerates too. Smart degenerates, which isn’t a great combo.
@@kitplaysmore7554 absolutely dangerous?💀 bro it's not what you think it is, it's definitely not dangerou
Hey ppl, I'm a retired computer/IT person, Yet I still find *sentinel Recover* so informative and straight forward. Thanks for your advise and helping the people...........Great work and love watching.
I was looking at this piece of tech when they stated their kickstarter. It sounded like a great idea but was really ambitious at the time. I'm glad they were able to actually bring something to market.
Stuff like this is why I'll never go for the whole "smart house" thing where everything including your damn coffee maker is a computer or connected to the net. Too many vulnerabilities too many exploits too many surveillance devices.
just imagine the chaos when we start using nano bots for health issues.....just use this and tell them to stop the heart or something lol
Having a Smarthome IS NOT the problem. Using devices that depnd on a cloud or internet connection is the problem. Everything demonstrated here is interesting, but all requireschaving relatively close proximity. The point being, a smarthome is nothing to be afraid of, but make sure that devices that only need local access for control. Not Alexa and Google Home, and know how the devices can be controlled.
@@cjramseyer I'm just sketched out by any kind of wireless devices because it means they can still be manipulated by other Wireless signals people always find a way to exploit any kind of remote connectivity even if it's not connected to the internet directly necessarily
True you could catch someone’s house on fire or rob it while they are away or worse if you think too hard about it. But I would agree that’ll not catch on with me either for the reasons you stated
You got a phone ? Too late
Feels like the video started as "this thing is dangerous!" but as the video goes on it's more like "hey this thing is kinda handy" lol
I am a college teacher that teaches electricity. I bought this today and was playing around with it in class with my students. They loved it and actually really learned alot about the importance of EM frequencies.
Thats actually really cool. Awesome! 🫶💙🫶
This is basically the real life equivalent of Batman's hacking tool from the Arkham games.
Man, it sure is convenient all these passwords are a single word.
Right!
Or a sonic screwdriver
Nothing will ever be as advanced as what Batman has
Does it come in black?
This guy : "See that's bad idea"
The lockpicking lawyer : "Here we have a demonstration of the hardest way to open this safe. Now I am going to use a fork..."
Fork?!? Cmon, just a paperclip is enough!
Opening a lock with it's own packaging will always be a highlight to me
With a tomato.
With this spec of dust
Ive seen em break into a car using nothing but his shoelace its wild
For about $200 this seems like a pretty awesome master controller for all my devices
Who knew something so adorable could be so dangerous!
I know right. I told my mom its just a toy and she trusted me because it looked like one, i bought it and i do many things with it
@@Narites 🤨
@@Narites imma tell your mommy..
@@Narites mom's cabinet starts vibrating.
@@kaelthunderhoof5619 🤣🤣🤣🤣
This is really useful for many things as well. I saw someone copy a card onto some of those blue tags, so they can have extra keys to their appartment building, for family and etc
I was thinking how useful it would be to have a spare set of apartment keys, or a garage key in case you ever lose or forget yours. It definitely has its uses that don't involve doing bad.
well u can always make an extra copy of the key where you get the first one
@@Lothar526 a lot of apartments charge you $50+ for extras
@@burymeinversace really? wow thats a lot! im not from the US.
@@pwntwtf Or every remote in your house. Id take it everywhere, seems super useful in a pretty small size.
The efficiency of this *sentinel Recover* is next level. To juggle walk throughs of various angles on the topic delivered to-camera, differnet content per topic from various folks underneath the umbrella of the track list of the larger big band concert itself is engaging and refined. To make a dense taccess like this so digestible is really something. Awesome work *sentinel Recover* !!
It’s like a personal master key. I’d use it for exactly that
I've been waiting to see more of the flipper. I tried pre-ordering one on the website and for some reason I was not able to. If it's perchable right now I would buy as many as I can. This is such a useful tool. I had a friend who had one and he let me test it out and he can bypass almost anything.
Problem with RFID blockers is a lot of them work all right until somebody puts a parking garage overhead scan unit in a laptop bag. A lot of blockers can be read straight through with such a device, it just depends on how sophisticated of an attacker you're worried about.
Hmm, possible solution?
@@madhurindian faraday cage
Would the issue there be the device in the bag's signal is too strong for the bag to contain?
Man I wish I had goggles that let me see as much of the electromagnetic spectrum as possible at once.
I have an app that visualizes some radio and microwave signals and I have a thermal cam, seeing UV spectrum can be done too but I'd like to integrate it all into one view
@@zaa1414 I'm referencing a defcon presentation. I can't remember exactly who was presenting, anyways it's was made into a portable rig that they put into a laptop bag. It didn't really need a ton of power and it was set up to dump the credentials of every tag it could interrogate. It's definitely the sort of thing pen testers make.
No it would be quite unpleasant to be around any sort of RF source strong enough/(at the right frequencys) to damage the materials in a laptop bag. Let me put it this way, the microwave heats things using radio waves (at about 2.4 GHz) using something like a kilowatt of power. The food containers in the microwave are made out of very similar materials as a laptop bag.
Those readers are probably operating at something like 1 watt at the absolute maximum maybe 5 at a much lower frequency. There's Federal limits on what you're allowed to put out into the radio spectrum. I have absolutely no idea how much power you would have to output at that frequency to get material degradation and a laptop bag. but I know I don't want to be near it.(I think it would probably be easier to measure it in power substations)
The efficiency of this *TECH SAFE GUARDIAN* is next level. To juggle walk throughs of various angles on the topic delivered to-camera, differnet content per topic from various folks underneath the umbrella of the track list of the larger big band concert itself is engaging and refined. To make a dense access like this so digestible is really something. Awesome work james!!
Just placed my order using your code, hopefully you get a kickback from it.. Love your content, it's hard to find someone who's willing to ask the right questions to the right people and share what they've gained from it.. You Rock David!
That's actually kinda scary that these things are just kinda out in the wild, but that also means that more people like you are able to teach us more about them so we know how to protect ourselves.
There is absolutely nothing special special with this thing, RFID scanners/copiers/writers are available for decades, same as the universal remote controllers. And it can mimic a wireless keyboard/mouse. *Facepalm.
The only difference is that this looks like a toy with a dolphin animation.
And notice this thing only works if you have the master RFID tag in your possession to copy it. You could do that ten years ago with cheaper hardware.
Notice the lack of mass creditcard scanning scams in the last ten years. You can scan my creditcard but you can't use that for paying anywhere so it is useless, but hey you can open my hotel safe after I let you scan my creditcard ofcourse and I let you in my hotel room wafter I told which room... in which hotel.
This thing is total bullshit and it's only function is scamming wannabee "hackers" who don't have a clue out of their money.
I have one these I use to copy my car fobs , my tv remote and troll my coworkers by changing tv channels.
You should've explicitly mentioned that this doesn't allow you to clone payment cards, the CSN/UID of the credit card have nothing to do with contactless payments, Flipper Zero cannot access the bankcard data. Contactless payments requires a fully encrypted handshake where the PoS sends an encryption key which is encrypted or signed using the a key held by the issuer the card would only transmit the card details if it successfully decrypts/authenticates the PoS key and those details would ofc be encrypted using the PoS keys.
Whilst "contactless skimming" is possible it's only possible with valid PoS terminals, unfortunately it's fairly easy to get the PoS contactless reader and account needed for it and the scams rely on flaws in the KYC processes of payment processors such as Square to achieve it.
Contactless EMV transactions are by far the most secure method of transaction we have right now even more so than chip and pin and there are no known direct attacks that impact these trasnactions.
This, and it's also nothing new. I can even copy or emulate nfc uid with my smartphone.
Much more interesting ist the convince to copy 433 MHz signals often used by garage doors and such
Damn.
I was commenting above that i could Just save my Bankcard on the Flipper and use that instead of carrying the cards.
That's not quite accurate. Bank cards will happily send lots of information to anyone that asks (the EMV spec is public, if you're interested). POS systems do use RSA and signed keys, but only to verify the card is who it says who it is, so cloning is still impossible
@@edenjung9816 You can't and if ever a device like that would be available you wouldn't want too unless it's an approved contactless payment device such as your phone or smart watch.
Cloning cards is still a criminal offense even if they are your own cards.
This would eventually get noticed in store and on public transport and cops can get called and good luck explaining to them what a Flipper Zero is.
And even the criminal case would go no where when your issuer finds out you'll be fucked and good luck getting a chargeback ruled in your favor ever again for your entire life that is if you would be able to get another card issued.
@@jetseverschuren It's quite accurate, no cardholder data is ever sent over the wire before the card authenticates the PoS and any cardholder data sent by the card is always encrypted.
If you have control over a PoS that has access to issuer keys or the issuer network and can trigger a contactless transaction and the PoS does not uses P2PE you will get enough CHD to make additional transactions but cloning the EMV chip is impossible.
However I don't know of any contactless PoS's at least that are attainable to regular merchants that do not employ P2PE which means that the merchant never sees any CHD at all as all the transactions would be end to end encrypted and tokenized.
Older Chip and Pin PoSs were not required to use P2PE however most if not all EMV terminals from the last 5 or so years are P2PE terminals.
Some of the larger merchants such as huge retailers might have been allowed to retrofit their PoSs with contactless payments without it being P2PE but any retrofits I've seen were usually a separate payment channel and were P2PE.
All the "IOT" card readers such as those from Square and SumUp and the likes are all P2PE so you can only do charge skimming on those since as an attacker you'll never see any card holder details.
UID emulation is not nearly enough to emulate a yubikey's cryptographic functionality. You would need to extract private key information which requires much more extreme tactics. If you were using your yubikey merely as an RFID tag this would work, but that's not what people use yubikeys for
Yeah I was dumbfounded when he even suggested bypassing yubikeys 2fa
Can we just talk about how cool that cute little interface is? I love the attention to detail
Honestly I love the UI so much, what a cute and unsuspecting dolphin!
The dolphin isn't a random choice. They can be some of the most cruel animals. They can hunt, torture, and rape their own species or other.
oh I know about the "other species" part with some of the hentai I've seen where the dolphin is "connected" to an anime girl~ yup!
@@Mocxing bruh
He's always so MAD at me though 😅
It's copyright from Gameshark
Pentesting aside, this device seems really useful to just have around
I could simply save all my cards on it and Not carry them around with me. That would be cool.
the problem is that spending 170$ just for something you are going to use times to times is annoying
I was thinking the same, like the big boom of universal remotes in the 90's.
@@edenjung9816 you can already do that in your phone
Do you guys not have phones?
I remember having homebrew on my PSP that used the IR to be a universal remote. Same method to train it so I had all my friends remotes saved as different profiles. Then I didn't have to look around for one when we were chillin. It was great at home as well, since we had so many IR remotes. I could quickly switch from playing my game over to other tasks, similar to ALT + Tab on PC.
You can read only what's public from the credit card's rfid and that's usually what is already physically written on the card (except the CVC of course). You can do this with any phone supporting rfid (most of them nowadays), but that's not actually cloning the card. The chip on the card is a minicomputer with cryptographic capabilities and that allows to make payments secure.
@@Username-2 watched only 1 or 2 videos from this channel and he doesn't seem so knowledgeable... or maybe it's just for views and interaction
What you said
I wish more people realized security is a placebo. Literally everything is vulnerable, even people. Thank you for this video.
Putin is not
Even you
Especially people
I would say especially people.
Security is a placebo...
Okay, so don't lock your doors, might as well just leave them open in that case.
There are certainly things that can be and are secure in the world.
@@hummingbird_saltalamakia Exactly. Some people just wanna sound smart.
I was originally extremely concerned about this piece of tech.
Now, having learned about it, it's not as threatening as it looked. You have to have access to the original key sets and cards to copy for the ball to even start rolling.
Just be careful with your wallet, as we have all been told since the dawn of wallets.
Yeah, that's my take as well. Not nearly as impressive as I expected.
Couldn't you just stand in a crowd and scan people's pockets that have wallet's in to get the card info ?
@@RhythmEmotions Yes. There wouldn't be anything stopping someone from doing that.
That's why it's important to have an RFID blocking wallet. Do keep in mind that with this device, you would need to have the device extremely close to a card to copy the data.
Many people carry multiple cards in their wallets. It would be very difficult for someone to know what card they are copying without removing the card from the wallet and scanning it.
For example. Someone could be touching the device to someone's back pocket, and be copying someone's bus pass, or someone's hotel room key instead of their credit or debit cards.
@@gimme0cookies as long as this device doesn't become like the device on prison break lol
@@MalcomHeavy definitely buying an RFD wallet lol
None of this is that wild but having it all in one device is pretty neat.
If a safe doesn't have a knob/lever/keyhole then it's likely going to give the user problems. With that said, the safe used in this demo can be considered complete garbage even before David did anything to it. Casually shopping for "safe" devices online (7 years now?) has resulted in hundreds of negative comments regarding 1) junk quality, 2) the inability to open the thing even with proper clearance [a huge complaint with biometric fingerprint scanners], and 3) sometimes opening way too easily due to bad firmware or flawed physical internals. I think once upon a time Sentry had a model that could be opened with proper magnet placement, no code required.
My primary has a digital pad, a separate battery backup box, keys, and can be alarmed. Get yourself something with any combination of these features and bolt it to the wall/floor.
I know this is a stupid use but for someone that has a bunch of keycards for work or for personal use it would be cool to have one device I can use to unlock everything, as well as a good trick to have a random rfid card I use unlock something unexpectedly.
This is exactly why I bought one. So I can make a new one and not have to pay $35 each time to the company for a new card. Oh, and all the other cool things it does will be worth the hundred and change.
Only safety thing is it does become a master key for your life for anyone malicious
@@ocavant what if the delivery companies know what these are and then make it illegal?
Sounds like the mark of the beast
@@GswervinTV but its not because nothing is being put into your skin.
Imagine the dangers if a driver thru worker had one of these
Pay in cash no issue
wym lol dont hand them your card
You could work at McDonald’s for one day and retire lol
You don't need this to read cards legit any smartphone whit NFC can read and save card info
You don't need to give them your card, they pass you the reader, pay cash in places you find sketchy and you should be using credit cards instead of debit's by now.
Credit card to operate a hotel room safe? I’ve never seen this before.
Bad ideas Everywhere! :)
It has been around for years but has always been a bad idea
It just kept glitching on me when i tried this video tutorial. Thank you for this video firstly & Secondly thank you *sentinel Recover* I can’t get to the part of video selfie meeting you was a blessing in disguise. Keep up with the good work a lot of people will be needing your assistance in the nearest future.
I saw the kickstarter campaign and figured it would be something that would be quickly banned or never allowed. After they blew wayyyy past the goal I ended up snagging one on preorder. After having it a short while I ended up jumping on a restock early on and now have a backup. But being an A/V- IT tech this thing is extremely valuable. When you setup customers with a universal remote they lose the individual device remotes that are sometime still needed. But I have every ir device I would ever need in my pocket. I was able to bypass the need to buy expensive programmed rfid badges, as I now just buy cheap t5577 tags that can emulate a range or rfid protocols and write them for the employees. The bad usb for automated installation of programs for remote assistance for IT clients. I’ve even copied the company garage door with the subghz. This thing is extremely powerful and even more so with custom firmware. And it’s cool to see you made a very informative video on it. I love your content and it has helped stuff me further down the rabbit hole of cyber security. But as a yubikey user myself I’m happy to say, That it can read/copy/emulate it, but it sees it as an unkown and assumes it’s nfc type a so the phone won’t read it as a key. Or at all in the app.
Why/how would this be banned?
@@binary_badg3r i was a noob when it first hit on kickstarter. It was marketed as a “hacking multi tool” I just figured with it’s power and ease of use it would have been something that the fcc would’ve pushed back on. But I guess I was thinking they were gonna act more like the atf and a cool gun. But in the end I realized it’s basically treated like a computer. Sure it had the potential to do a lot of bad. But it all depends on the intentions of the user.
@@TheCrash0veride Kinda like guns. Or drugs.
@@TheCrash0veride yeah its not hi tech by any means. You can make your own with parts from your local supermarket. It's open source to so you don't really have to do any coding
@@thePyiott I wish I could find components like these at my local supermarket. Radio shack died over here so there’s no electronic hobby stores anywhere now. They want to do away with the right to repair.
Honestly I'll buy one just because I can have a single device to do all those things. I'd copy my own remotes and cards, and use it to copy remotes in hotel rooms and so on. There are a ton cool legal and smart uses of this to copy the tools you would normally have access too into a single device.
Please do not put your own credit cards into this device dude
@@andrew3606 why?
@@yeenking Because the company that makes these would have your credit card info to use or sell
@@andrew3606 but how? This device isn't online
@@yeenking He synced the devices data to his phone in the video
If Flipper can be remote controlled than all somebody has to do is get it into your bag or glovebox or whatever, then they can use the various functions to suck everything they want out of your wallet/car/key-fob etc, then they just have to get the Flipper back - with probably won't be too hard of they 've cloned your keys.
For the rfid you can use just a phone with nfc, for the IR you can also just use your phone, bluetooth you can also with a phone with bluetooth. Unfortunatly, I dont know if there is a way to use a phone as a bad usb, but bad usbs are pretty cheap, you can buy one for less than 15$
That's pretty much what I was thinking. My old Galaxy S5, I think, has everything I need, other than the software it'd need...but I do have an IR remote program on it, which is the primary reason I keep it, since newer Galaxy S phones don't have IR anymore. I've had fun with using the remote app at bars, especially when someone decides to put some garbage on the nearest TV.
I hadn't heard of "bad USB" devices before, but then, my interest in such things has waned over the decades. I suppose I'll have to look into the subject, now I'm aware of it.
The Flipper Zero supports a range of features including the capture and replay of Sub 1 Ghz signals. You would need a PandwaRF or another device to capture and replay these types of signals with an Android phone. In the first part of the video I showed some clips about what others have done with the Flipper Zero (unlock cars, open boom gate, tesla etc), but as mentioned I did not show all it's capabilities in this video. See their website for more features such as iButton, GPIO etc
@@davidbombal yeah, I know that, I just saw lots of people saying that they whould like something like this gadget, I was just showing that they don't need to spend that much money to accomplish the examples that you showed on the video. The tech in that gadget is amazing, but for most people a phone whould be better xD
We used to do this with Android phones when RFID reader apps first hit the App Store. You can do pretty much all of this on an android phone
With kali lunex lol
You can do most of it on an iPhone too. I don’t understand the fuss about this product, it’s all stuff that has been done for years with much cheaper products or often with the phones we all carry every day anyway. Seems like a complete waste of money to me.
@@ChrisSmithysimply say your broke with out saying your broke 😂
@@maniaksgaming6739 haha. Nice try. More accurately, I’m someone in the trade who understands these products need to be disposable or more undetectable.
@@ChrisSmithy Can you give examples as to how? Do you need a rooted phone? I've been trying to emulate some work cards and tried a few apps, can't seem to find anything to emulate. I have Android
If you have normal access to a building where everyone uses rfid to access it. You can walk in close enough to another employee and gain access to the building. So you do have to be careful.
There is no doubt that you will rise fast at the apex of your career *THE TECH SAFE GUARDIAN* . Because you are a very intelligent, smart, hard worker and your work ethic par excellence. Keep going People like you take the IM out of Impossible by becoming PRO at tackling Problems. You Rock!
Big thanks to Lab401 for sending me some cool toys :)
// Discount //
Get a 5% discount using my affiliate link : lab401.com/r?id=42cm8b
and/or use code DAVIDBOMBAL
The Flipper Zero must be one of the most in demand hacking tools of 2022. A fantastic RFID / NFC / Infrared and more tool :)
Flipper Zero: lab401.com/products/flipper-zero?variant=42927883452646
// Video mentioned //
2 seconds to open a safe: ruclips.net/video/X990ZNA2Tog/видео.html
// Great resources //
Awesome Flipper: github.com/djsime1/awesome-flipperzero
Bad USB: github.com/nocomp/Flipper_Zero_Badusb_hack5_payloads
// Lab401 //
Twitter: twitter.com/Lab_401
Website: lab401.com/
RUclips: ruclips.net/user/lab401
// David's SOCIAL //
Discord: discord.gg/davidbombal
Twitter: twitter.com/davidbombal
Instagram: instagram.com/davidbombal
LinkedIn: www.linkedin.com/in/davidbombal
Facebook: facebook.com/davidbombal.co
TikTok: tiktok.com/@davidbombal
RUclips Main Channel: ruclips.net/user/davidbombal
RUclips Tech Channel: ruclips.net/channel/UCZTIRrENWr_rjVoA7BcUE_A
RUclips Clips Channel: ruclips.net/channel/UCbY5wGxQgIiAeMdNkW5wM6Q
RUclips Shorts Channel: ruclips.net/channel/UCEyCubIF0e8MYi1jkgVepKg
Apple Podcast: davidbombal.wiki/applepodcast
Spotify Podcast: open.spotify.com/show/3f6k6gERfuriI96efWWLQQ
// MY STUFF //
www.amazon.com/shop/davidbombal
// SPONSORS //
Interested in sponsoring my videos? Reach out to my team here: sponsors@davidbombal.com
flipper zero
flipper
flipperzero
hack
hacking
rfid
nfc
bluetooth
infrared
radio
gpio
Your late old man
Glad you got what you backed on kickstarter. Backed 3 items in 2019 never received and Kickstarter does nothing to help nor do the originators reply.
Please remember russian products are currently subject to international sanctions.
Good sir, What was the RFID blocker you were using with your cards?
Can it run Cyberpunk 2077????
David what a joy to come across your informative video - RFID protector going on my shopping list!
I wouldn't call this a hacking device, more like a convenience tool. It just combines multiple tools in one device.
yes. It still need the "consent" of both device to be "hacked"
im not pointing this gun at your head im just motivating you powerfully, go back to scamming grandmas pos
Yes, it is a hacking device with an evil person. Trust no one.
Anything that can take, manipulate, or use technology in ways it was not intended to be used, legal, innovative, or nefariously, is a hack. If one devises a way to warm their flip flops in a toaster without burning their house down before putting them on, it's a hack.
@@Bos_Meong that’s how most hacking works.
Great sales pitch 👍 for a minute you aalmost had me worried. Nothing your average smartphone can't do 🤣
“You can’t get a hold of one”
…I guess I should open the box that’s been sitting in the corner of my room for the last 4 months
Ship it? Lol I'll pay I want one like now I have so many devices i can use with this
Yeah, this got me to dig out my second, unopened one and play with it, because my first is in the glove box of my car. I had lots of plans for it originally, but the pandemic kind of put the kibosh on almost all of them. It's nice to have, but it turns out I don't use it as much as I expected. Still love it, and am very happy I backed it.
Thanks David. Excellent review and excellent product. Your video underscores the need for storing RFI devices inside some sort of RFI blocking devices, be they wrappers and bags.
Really would love to get my hands on one of these, not for anything malicious but to fulfill the child hood dream of having one remote to do everything like in the TV show Hey Arnold
Haha there's thewandcompany that used to make epic sonic screwdrivers from doctor who, I had one the 10th doctor's universal controller sonic, epic quality and did a lot of trolling with it, I almost got 12th doctor's sonic which is even betterm had an extra functionality of emmiting IR at random to "guess" what signal a TV for example used to shut it down
I personally don't see view as a new threat - people have been attacking door systems etc like this for years. The difference is, now this technology is placed more easily in the hands of everyone instead of it being restricted to power users or hackers. There is a long history in information technology of trying to achieve security through obscurity. Flipper Zero is merely exposing bad design and bad implementation in a viral way where suddenly, people talk about it. There is no magic, it doesn't suddenly break systems that were secure before. But if it makes people aware of the flaws in many tech products and puts pressure on the manufacturers to put some actual effort into the design of their products, I believe that's a good thing.
If you have physical access to the cards you want to emulate, you’re already most of the way to using them anyway. What’s the big deal about an rfid reader?
u can scan someone's else card from their pocket for example. So basically someone can grab your card info when standing behind you in a line in store.
@@sadskalmar6714 not with RFID protected wallet or card case. Yes it's a stealth hack, but it can be prevented. Stop using a "normal" physical wallet
@@JamesPhillipsOfficial exactly the point he made early in the video.
@@JamesPhillipsOfficial If you believe some in the industry, this is rare. And this (internet): "Most credit card chips are not RFID-capable. Today’s chip-embedded credit cards don’t actually transmit any information that could be captured without inserting the card in a reader."
@@sadskalmar6714 yeah, good luck with that. You have to know where the card is exactly, and be able to sneakily get the device in close proximity, while the target is moving. All that without raising suspicion in the target and any bystanders. Furthermore, people usually have multiple cards in their wallet, which usually makes reading them via NFC impossible.
You are NOT reading credit cards, it just reads the UID of the chip. Try using you passport to lock the safe, it's going to work like every other NFC chip. The ID of the chip is always the same and has nothing to do with credit card security or anything similar.
How would you use a passport to lock the safe? Which kinds of passports have NFC or RFID on them? Or do you mean electronic id cards?
@@pimas11 All of them that have the ICAO logo.
Exactly what I am thinking, its simply a software problem. All of the devices with security issues just need to stop checking that the rfid devices has the same ID, as clearly thats not safe anymore, and start checking that the rfid device contains some sort of secret
FYI microcenter has all the parts you need to make your own from scratch (although more bulky)
oh i bet they also have the firmware to make the frankenstein device function too!
What’s the kit called? I just mostly see raspberry pi kits etc
@@sweatyearth7458 You do realize this type of software is primitive right? It can be replicated or just downloaded online.
So fun when everyone and their dog does a flipper zero tutorial and then over night they are being banned from online sales. THANKS SO MUCH FOR THIS!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
I believe your android phone can do most of the stuff that the flipper zero does. You just need it to have nfc and Bluetooth as hardware +Linux or a custom rom for android with open root.
The remote connection seems like the most unique feature. But otherwise, it's just a handy tool that.
Now someone needs to invent an alarm that goes off if someone is trying to scan your stuff.
Too many false positives maybe?
everything okey homer's alarm. Sounds every second until something is not okey. But it broke easely
Maybe just ask the guy who is pressing up against your leg trying to make contact with your cards WTF he is doing?
@@TheNathanTR fortunately I live in an area where someone pressing up against me better worry more about what’s on me than other than credit cards…
@@gomergomez1984 found the texan
At this point I realize the best place to save important stuff is in the mattress 🙃
This channel is the sole exception where I haven't skipped the promo ads. Your finesse in effortlessly integrating promotional content within your videos is genuinely impressive. Sometimes, it takes a moment to recognize that you're endorsing anything; I commend *sentinel Recover* for your adept execution in this aspect
The copying of cards and stuff was interesting but not that worrying as it seemed like you have to touch the card with the device before it can read it , if it could read cards at a distance away it would be scarier in my opinion
@@pyro23431 contactless payments are limited to a certain value and each RFID payment code is unique for each transaction. Someone who bumps you could maybe steal your 20-50 bucks but that's way better than actually stealing your card.
remember that the next time a waiter walks away with your card.
Buckle up! search for "Pringles can antenna".
Probably only works in the most basic cases, e.g. replaying RFID info since most RFIDs and NFC protecting things like banks cards will have challenge / response mechanisms.
Yep, I almost laughed out loud when he said you might be able to emulate yubikey for 2 factor.
This guy's videos are great, but sometimes you gotta wonder what they think some of this technology they use actually does.
Interesting. There are videos of people using this thing in place of a credit card successfully. I wonder how they are doing it.
@@meateaw He just flops an RFID lock on the table like LOOK guys! I mean come on. flipper nfc/rfid is so limited that besides cloning your mifare tag or nintendo amiibo it's practically worthless
@@meateaw Uh, you should look into the device mate. U2F no big deal.
@@wrongtown exactly, it's a super simple protocol that can't be cloned by copying the NFC because it uses a challenge response mechanism that never shares the private keys.
I think the bigger security risk here is not noticing someone rubbing up against you then following you around.
Yes, but just take it to a local vet. That will take care of it.
@@randomaccessfemale that's doesn't make any sense
@@hummingbird_saltalamakia neuter
David Bombal, I liked this video because it's awesome!
This device i feel could easily be converted or installed into a Android phone i feel to make it less conspicuous. And maybe even expanded upon since it would also be a phone, imagine having kali nethunter and flipper zero run at the same time?
With the non-standard firmware I can capture raw from a car key fob and replay it, but it doesn't actually break the encryption. If you know anything about rolling codes, you know how limited this can be.
It is called a rolling code. Most of radio doors/parkings/car key fobs are impossible to copy, no worries, you are fine.
@@BonBaisers I really wonder how a Yubikey works for this (I would expect publlic/private key)
Man sometimes I think how could anyone do something in a place they're not allowed to be when security cameras are now either decent enough and extremely cheap, very very good and reasonably priced, or expensive but you could zoom in to a detail half a pixel wide at least 130 feet away that was there 8 days ago. But then I see tech like this and understand there's still a balance between offense and defense.
Thanks for all your time and efforts you really do fantastic JOB for the community !!!!
What happens if you have 2 or 3 credit cards stacked together like they would be in a wallet? Would it still read one or all of them, or would it get confused?
You just need an rfid blocking wallet, protects your cards from any hacks
You can select multiple and copy them all. this device seems very useful to have because it just looks like an MP3 player to the unsuspecting eye.
By that i mean less likely to be stolen
@@terminal9660 nobody uses mp3 players anymore
@@paulden3158 Precisely. Nobody would want to steal it due to it not looking enticing
this device is awesome, but i managed to build myself a simpler version with the exact features that i wanted and it was much cheaper and is not restricted (some frequencies got removed from flipper zero). mine costs under 10 bucks and works at least as good as flipper zero (some features are missing of course). thanks for sharing the experience with this device :)
Hi, do you mind sharing details?? I'm a computer engineering major and figure I can put one of these together myself as well.., the only ones I can find online are $300! 😰
@@justinschaaf3092 I am interested as well.
the hardest part was programming the microcontroller. flipper zero made the source code open source but i had to figure out a lot of stuff on my own. building it wasnt too hard. you juat need to buy a 1-1000mhz antenna, a rfid reader and a 2.4 ghz antenna and connect the stuff with a decent enough microcontroller. i bought everything from aliexpress and i think it was just 10 bucks for everything. building it took 3 days and programming took about 3 months (with 1-4 hours a day).
@@multiarray2320 so not cheaper when I make $50/hr
I can just work for a day and buy this
@@AntonioAugusto1010 yeah its more about the fun and education of making it. but now i could easily mass produce it and it would get cheaper than buying it ;)
You can’t open the safe without the original card to copy tho so I feel like the safe is still pretty secure🤣
right ! i thought i was the only one who thought this
Yeah. This thing is a universal remote + rfid reader/writer and emulator. Why the hell is it considered a hacking device at all? 😂
You walk by the dude and read his card in his pocket.
@@GhostSenshi pocket, leather, double leather will not let that happen especially with such a small device the reader aint xray my guy.
/wooosh
Awesome work, *TECH SAFE GUARDIAN* ! It's so satisfying to see you putting in the effort to stop those shady characters. Protecting the public, especially the elderly, from those despicable con artists is crucial. You truly deserve recognition and appreciation for keeping us secure. I'm thrilled for you because you're my sibling. Your accomplishments definitely make you a strong contender for the Nobel Peace Prize. Keep up the outstanding performance!!!!!
I miss my galaxy S6. I could change tv channels at public places that had a TV. Was hilarious watching how confused everyone was 🤣
Lol I think I still got my old one laying around
How could it do this
Would a product like this work with ski passes? It would be cool to use this rather than carry around multiple passes.
I have a rather peculiar question that might be kinda obvious. But if the flipper zero can emulate a card in theory couldn't I use it as a more secure way to store my own personal cards?
I do that already with my iPhone
the flipper doesn't store credit card encryption keys. So, no.
There is no doubt that you will rise fast at the apex of your career *TECH SAFE GUARDIAN* . Because you are a very intelligent, smart, hard worker and your work ethic par excellence. Keep going People like you take the IM out of IMpossible by becoming PRO at tackling PROblems. You Rock!
Is it possible to use the app instead of having the actual physical flipper?
Yes
So if you have access to the key, you can open the lock??? 😱😱😱
Biggest security problem of 2022!!!
This is what i also thought. How is this an security issue?
well you need just 1 sec in contact with the key, then you just have it
Yeah, you've always been able to sit next to someone and easily copy their RFID tag and then use a copy of their key 🙄
@alekos xainas as with most "hacking", it's social engineering that gets you to the keys, but you're mistaken here about buying stuff online; the RFID signal from a card isn't going to contain card data in an easily accessible way, probably hashed and irretrievable
@alekos xainas Say "I don't know what I'm talking about" without saying it:
RDIF Read and Write can be done from your phone..
Some phones support IR but you can purchase cheap devices to Read/Send IR Signals..
I wonder if keeping 2 rfid cards close together would prevent them from being read
Well take two cards and try to pay for something. Won't work.
@@BoraHorzaGobuchul so there is no need for rfid protective wallets, just put 2 cards together. rfid wallet industry hates them for this one simple trick.
HackRF has really taught me a lot about vulnerability of today's devices along with long distant signal testing with a Yagi and location finding of interference signals using 4 antennas and some mixers with LO shifted a few khz on each antenna to get a direction of a signal Fox Hunting RF. It's very handy for testing and can build many things with GNU software to decode signals. Very capable and extensive device. The Dolphin does things a bit quicker and requires less know how which makes it desirable for the lazy ones not wanting to learn how it works🤣 but still handy in a pinch. Hackrf one for the hackrf still needs more options and bugs fixed and it will be more capable in the future.
They really just created watch dogs in real life
time to go back to sticks and stones
Watch dolphins to be exact :D
and not even 5 mins into ur nerds watch dog session it turned into call of duty and ur the one got hunted by cpt price
Just wanted to share how my AirTag smart wallet saved me from an RFID hack. Its built-in RFID-blocking shield protected my cards, and the Find My app on my iPhone helps me locate my wallet.
Could you share an example of how it saved you from such an attack? It would be helpful to hear a specific instance of how the RFID-blocking shield worked for you. Thanks
@@olegj285 sure bro, a few weeks ago, I was at a busy mall and felt a strange sensation in my pocket. After checking my wallet, I realized that someone was trying to scan my credit cards using zero flipper
@@Adamlogen12 Wow, that's crazy! I'm glad your Air Tag smart wallet protected your cards from that kind of attack. By the way, where did you get your AirTag smart wallet? I'm interested in investing in one myself, and I'm curious about where people are finding the best quality
thanks 🙏🏻 found them!
Fuckin bots are unreal anymore. 🤦🏻
It’s literally a Digivice!🤩
Go! Dolphinmon!
That’s one awesome tool, and the fact it’s called flipper with ascii art makes it so much better
The concept is awesome. The dolphin idea is a reference to the cyborg dolphin from a short story of William Gibson, people might recongize the reference from Johnny Mnemonic.
This device is pretty cool and has some amazing capabilities. Regarding the card reader and emulating a cc or key fob - how close do you have to be to the device in order to clone it? As with many vulnerabilities, if you have the original (CC or key fob), why bother cloning? Great video and always a fan of showing people that what you think is safe, probably isn't!
Well I can definitely think about ways for cloning to be useful. For example let's say you visit a hotel, you can grab the opener card and come back week later to pick up anything you wish from the room from the next visitors with your very own key.
@@luimu I absolutely agree that the tool is amazing and has many uses. Hadn't thought of that use case but would hope that hotels encrypt the current guest name with the room number. As always, we security experts can never anticipate all scenarios.
This is kinda scary especially in America where its normal for People to hand their cards to people behind counters
There aren’t any places you give someone a card other than restaurants. Every other place has pin pads
You can't use the flipper to clone credit cards and use them, it just saves the credit card number etc.
@@ch40skappa64 he just showed you can clone the RFID for transactions that require just tapping......🤷♂️
@@RohxAirsoft Try it, at best it will work only one time;)
@@RohxAirsoft Fortunately, that is not how payments work. In the demonstration in this video, the card simply reported its UID to the reader. The problem is that this is all that the safe requires. Smartcards can actually do much more than just report their UID; they can essentially run applications like any other computer and do cryptography, albeit in a much more reduced capacity. In a payment scenario, the terminal and the card would go through some protocol where the card can prove its identity without ever revealing its private key, so that it cannot be cloned.
Thank you, your video is so instructive on security issues and a great tool. Are there other stuff like this ?
Reaally cool device I'd be interested for the original msrp but I also feel like in terms of hacking, it's pretty impractical seeing as you have to intercept most signals in order to duplicate them. Unless the fuzzing functionality allows you to brute force a signal?
What's fuzzy function mean
@@KeyonKey Fuzzing is a type of vulnerability testing in which you throw a bunch of different permuations of inputs to a program or service to see how it responds. In the exploit world it mostly boils down to trying to get a text input in a program to trip up and overflow the memory. They do this by figuring out vulnerabilities in the different functions that get called that work on the text you inputted. if an overflow occurs then the attacker can append "shellcode" to the text which is operating system specific machine code. in the context of fuzzing here I think I meant like brute forcing or running through a bunch of different frequencies on a receiver to see what opens a parking garage gate for example.
99% of us are shielded by anonymity. As a result, RFID emulation to access locks will be a highly specific use case of the gadget. However, I am confident that WIFI and Infrared emulation will be its primary application.
When you are out in the physical world, your identity is plainly visible or easily discovered. If this or a similar tool can read your mobile phone number while copying you key fob, they can catalog the keyfob as related to the phone number. A later online search will give them a short list of addresses that the keyfob can open. A ealk through a street or train will gather a pool of victims and they can choose the most valuable for silent break in the next day.
I've been locking people out of their Tesla's for the past few months it's fucking hilarious
@@yzrippin And then puberty hits
Most tags used for keys are encrypted so this wouldn't work
To be honest I have seen videos of Android phone performing a "skim" of someone's credit card down a elevator, they just used NFC and the right app. So the tech of this device is not new at all, it's just a different form factor
Well this device is not just limited to reading/emulating NFC.
@@BoraHorzaGobuchul Yep it can also speak BT and USB, like any smartphone can do. Older Samsung devices (Galaxy S4 to S6 for example) that are way cheaper than the flipper could even speak IR in case you want to control your grandma's old TV.
@@JanBebendorf It can also read a fairly wide variety of security devices. Your phone can't read or write an iButton, nor can it access the iButton reader. Your phone may only support a limited set of NFC and/or RFID implementations.
The Flipper Zero supports a range of features including the capture and replay of Sub 1 Ghz signals. Please explain how you could get an Android phone to capture and replay Sub-1 GHz signals without a PandwaRF or another device? For example capturing capture car remote signals and replaying those. In the first part of the video I showed some clips about what others have done with the Flipper Zero, but as mentioned I did not show all it's capabilities in this video. See their website for more features such as iButton, GPIO etc
We need more immeasurably wise and compassionate humans like you on this planet. Thank you for sharing *sentinel Recover* , James. I bet I'm not alone when I say this video found me at the perfect moment, and there are a lot of things here that I needed to hear right now.
i do not even want to think how long jail time you would get in my country if you just got caught with a flipper zero on you
Where are you from
bro is from north korea or something
How could that be ilegal? The stuff that he showed can be done with your phone if u want
@@nicolasmfa There is support for some features, such as copying the nfc details of a card, but probably not the “Emulate UID” feature, from my personal experience.
Could someone emulate the emulator with a second Flipper? Like if you're using it legitimately for ease of use, what's stopping someone from stealing all those scripts?
Yes and quite easily too
The ir remote is enough for me . Used to have a watch that would control anything ir it was awesome 👌
Casio CMD 10💪
Same with my old mp3 player funny enough lol. Was great fun switching tv's and aircons off at school back in the day.
this is the best channel you need to do one on security forensics for RUclips videos, movie videos or digital art videos
You received 1 of 3 things from the YubiKey scan.
1 - YubiOTP code (default) ex. ccccccllfvvibdbtbgttdgdrjnvcebdtgfcdrjrunnjf
2 - Static password
3- HOTP code ex. 72345924
FIDO and PIV would be running a challenge over to be signed by a private key on the YubiKey. The Flipper would not have access to the private key.
None of the the OTP codes from NFC scan are time based so they all would be valid. If, however, the user used the next code before you, yours would be invalid (except the password).
Thanks for the video. I was wondering what the all fuss was about this. Seems like the form factor and ease of use in a single package is what it is. I also see that it has some GPIO pins on the top for a few more advance use cases.
Only critique I have is that you shouldn't leave people hanging on YubiKey security. If you mention something like that you should take the time to close it out immediately or not show the content.
Agreed with the Yubikey.
Likewise. TOTP should be safe for the reasons you mention but I’d love to see someone try so we can know for sure.
Thank you so much for the information, this is absolutely insane that a single device can do all these things. And even though it is understood that this video is for demonstration only. What comes into mind is: what bad actor or criminal uses this type of device for malicious purposes, what kind of practices or techniques can be applied to defend ourselves from such a variety of attacks, which are kind of in between the physical and information type of attacks.
One more time, thank you for your work
Thats why in the smplest terms, use RFID blocking devices in cards you DO NOT want to be scanned in a public setting.
And you know what? Your phone can probably do all these things too with the correct software.
Most bad actors already have made a device like this. For example I have an rfid reader from a car parking lot, which can scan straight through the a rfid blocker to a mini pi. Even though it takes time to scan then put the data onto a fake card/transmitter, its super easy to do after its done.
@@engineer0239 Im 90% sure you can do this with a default android phone. You used to be able to rfid scan cards and then save that data in google pay.
It is not insane. It is reality. You only need a few chips to cover all this spectrum. Anyone with minimal motivation can do these same things with freely available consumer electronics. The rfid stuff can likely be done by any cellphone with rfid built in.
The issue is not the device, the issue are the vulnerable products multiple industries have ignored for years. They made devices with no security. The real solution is to add on security with a way for the owner of the car and only them to bypass or authenticate. Adding security without an owner bypass or authentication api just increases the chance that a modder trying to do something legal breaks the security to tinker with his owned property. Comma ai is a good example. They need to plugin to the canbus to add self driving features to different models of cars. Toyota slaps on encryption that the owner of the car has no bypass or authentication method for, so their is an effort to break the security which may help thieves. If car makers ensured owners had a bypass to security, then no one would worry about cracking the encryption and less scrupulous people wouldn't get to reuse legal modder bypasses to steal cars.
Don't expect fixes because device makers won't give owners apis they can use to bypass security. So as they add security to devices, modders will crack it all.