Featured image of post Flip the World
Computing

Flip the World

You mean that Dolphin from TV?

Yeah, something like that. Except he’s a cyborg / anime character that lives on a little oddly shaped toy like a Tamogachi, but more devious. So what’s this thing about anyway? Well, I’ve had mine now for a few weeks and I can say it’s simultaneously a toy and a serious tool at the same time. Let’s take a dive into what I’ve figured out what to do with this thing so far.

Sub-GHz

Screenshot from the qFlipper app, looking at the frequency analyzer

So by far the most compelling use case for this tool is the Sub-GHz antenna it ships with. If you’re not aware, the sub gigahertz frequency range is used for a whole host of remote control systems, and it’s one of the things you won’t get from other computing devices you might own like a laptop or phone. These devices typically have WiFi, Bluetooth, NFC, and cell antennas but nothing that can intercept and replay signals from things like…

Garage door openers

Yes, your garage door might be vulnerable. Yes, the Flipper can copy and replay those signals quite easily. But don’t get too worried just yet. Most modern doors will use a set of pseudorandom numbers called rolling codes to control whether you can open the door. These rolling codes are synced between the remote and the opener and there’s no way (that I know of) to predict what the next code will be. This makes many modern devices immune to replay attacks. But… not all garage doors are modern. Mine, for example, is definitely not.

You can see how this 9 bit garage door opener could easily be cracked. This amounts to only 512 possible code combinations… Yikes.

The Flipper made short work of this device. Now I have both garage door codes captured and ready to replay any time I want. This attack did not require anything but brief access to the device in question. I didn’t need to know the dip switch positions so I’ll give this attack a 7/10: easy to pull off, requires some level of access to the device.

There are some other bruteforce scripts that ship with custom firmware for the Flipper that, on principle should work. So far I’ve not had luck, but I’m assuming this is mostly due to the fact that I don’t have the right hardware to bang my head against.

Of course now I’m curious. I got it to work with my first remote. What else can I use it with?

Car key fobs

Nope. Sorry. This one has so far been a bust. I’ve tried, trust me. I’ve even tried going out of range of my car, pressing the button and capturing the signal in RAW mode, then trying to replay it next to my car when back in range. No luck. Also, if you do this wrong, you can break your remote and that might require reprogramming (or so goes the rumor, I’ve not confirmed this). Annoying and expensive. So your car is safe against your average script kiddie with a Flipper.

Trying to capture and replay my car’s key fob signal was not successful

I’ve not totally given up on this endeavor though. At some point I would like to see if I can program my car to legitimately respond to the Flipper. Even if I can’t use a replay attack against it, I think it would be useful. So far though, this is a 0/10: doesn’t really work except under special, very limited conditions, and even then I’ve not been successful.

ADA accessibility doors

This one was fun. So apparently, those push button ADA door openers are sometimes not hardwired. I’m going to assume they do this for a few reasons, the main one being ease of installation. Also, I could see where someone with very limited mobility might benefit from being able to trigger those doors automatically without having to push the button, so maybe that’s another motivation? I couldn’t find a definitive answer on this.

Many of these use radio frequencies to trigger. Image Credit: George Morina via Pexels.

What I did discover though is you can easily capture and replay the signal. I had a ton of fun with this one. My kids also get a kick out of remotely triggering doors like high tech wizards. “Open sesame!”

It did occur to me that this might have some implications for accessing buildings if the interior button overrides the lock mechanism. Sure enough I found a situation where this exact thing can happen. One of the buildings where I work is locked after hours, but has ADA push button doors. Out of curiosity, I captured the signal from the interior push button and tested it against the door from the outside. And, yeah, it worked. You can effectively “push the door open from the inside” using the Flipper. This is one of the more interesting use cases as it would allow you to access a normally public building after hours in certain circumstances. I’ve not seen another example in the wild, but I’ll be on the lookout.

This one I would give a 5/10: super easy to pull off, but it doesn’t really grant you any additional access you wouldn’t already have except when improperly installed.

Tesla charging ports

Another fun one. I found the sub files online that open many Tesla charging port doors. This would be more exciting if you could charge your own devices from the unlocked charging door, but as far as I know, this is just a silly prank. And not even that good of one either. I believe the doors close automatically after a few minutes, so it’s unlikely the owner would even notice. That hasn’t stopped me from prowling crowded parking lots in search of Teslas. Now if only I could figure out a way to control Tesla’s current owner with a Flipper…

The worlds richest Nazi, sitting on a boat. Despite working on his cars, this douchebag’s Neuralink unfortunately doesn’t operate on Sub-Ghz frequencies so triggering an aneurysm remotely isn’t possible. Yet.

I give this one a 4/10: you don’t even need to capture the signal yourself as they are all the same and published online, but otherwise just a fun little trick and not all that useful.

Customer needs assistance in the (??) department

This one was, err, a little too effective. I found a .sub (this is the file extension for captured Sub-GHz signals) file online that was tantalizingly named “Walgreens Chaos”. That’s like labelling a big red button with the words “DO NOT PRESS”. I do not possess the capacity to fight those intrusive thoughts. So really, I can’t be held responsible for the inevitable chaos that ensued. And it did live up to its name.

The story as I choose to tell it goes a little like this: I walked into Walgreens, looking sketchy I’m sure. Browse the aisles for a moment, then open up Flipper –> Emulate! Shortly after, the first “Customer needs assistance in the ??? aisle” alert chimes in over the intercom. I was pretty surprised at this point because none of the .sub files I’ve found online had worked before. Neat! But then, another chime. And another. And another… The employees were getting flustered, talking about how “we don’t even have that section”. By this point, panic had set in so I cancelled the command. Phew!

Little did I know, the “chaos” command had literally fired off dozens of intercom requests and the intercom doesn’t want anyone’s request to go unanswered so it queued all of them up to play in sequence. One at a time. For several minutes straight. At this point it had become clear that this was NOT a good idea. Time to leave. I bought a pack of gum and made a direct line for the exit. Being one of maybe 2 other people in the store, it wouldn’t take a rocket surgeon to figure out I probably had something to do with the customer assistance button meltdown. Moral of the story: don’t do that.

I’m conflicted about the rating I want to give this little exploit. On one hand, it was easy, and if I was trying to be a real pain in the ass, this is a quick and dirty way to do that. That said, I have the utmost respect for people who work in retail and deal with shitty customers day in and day out. I don’t want to be part of that problem so on principle, this one should get a 0/10 for screwing with people at work, but a 8/10 for being incredibly effective, disruptive, and easy to execute.

Signal jamming

I wouldn’t know anything about this because it’s ILLEGAL so I definitely didn’t try it. But if I did try it, in my own home, on my own devices, I would probably report that with the right .sub files, you could allegedly jam signals by spamming a bunch of noise on that frequency band. But since I don’t want a visit from the FCC, I did not do any of the things that I just described. The biggest benefit of this attack vs other attacks is jamming a signal is a physical process. No encryption scheme or rolling code can save you from just physically overwhelming the receiver with garbage. And because you could potentially block important signals like car key fobs lock signals or gate close signals, you could potentially use this to gain access to places you otherwise wouldn’t be able to go.

Don’t do this, yeah? Like, really.

I give this one a 5/10 assuming I had tried this attack, which I didn’t for the record, I probably would have found it to be very easy to execute, and in the right situation it could be very effective

NFC and RFID

OK, enough of that. Time for something a little less noisy. I was a little confused at first about the difference between RFID and NFC. As it turns out, NFC is a subset of RFID. It works at much shorter range and at the specific frequency 13.56MHz. RFID on the other hand is a more broad category that can operate at longer ranges and across a different spectrum of frequencies. For my purposes, they’re essentially interchangeable and I’m not going to differentiate.

Badge cloning

This was the first exploit that truly shocked me. Not only did it work, but it was fast. It was easy. It took very little actual effort on my part aside from a quick Google search to find out what app I needed (PicoPass if you’re wondering). Once I installed it, I tapped my badge and almost immediately it was stored on my Flipper’s SD card. My first thought was “no way that worked”, but come Monday morning, I was able to waltz right into my office with the Flipper, no problem.

Yikes.

So, I did what any responsible person would do and I immediately brought it to my head of security and demonstrated how disturbingly easy it was to just bump into someone and clone their badge. Thankfully our physical security people are aware of this issue and are actively working to replace readers with ones that support encrypted cards.

I give this attack a 9/10: easy to do, limited knowledge required, and quick enough to use covertly with very low effort social engineering. I recently started carrying a man purse, or EDC bag (whichever you prefer), and it would be trivial to put my Flipper in an outside pocket and casually bump into someone in the hallway or in a crowded elevator. The Flipper conveniently can be controlled with Bluetooth so you can watch in real time to see if the badge was successfully cloned or if you need to try again. The only thing that would make this worse is if you could forge the contents of the card to elevate your access. For ethical reasons, and because I’ve not gotten approval from my security folks, I’m probably not going to try this one either. Probably.

Credit cards?!

No. You thought about it though, right? Yeah, same. You can read the card contents all you want, but you won’t be using it to make transactions. The card data you can read via NFC is pretty interesting in some cases though. You can capture the card number and expiration date as well as recent transactions (which was very unexpected). This is all well and good, but then what? You need the CVV and/or the zip code to do anything useful. Not that this isn’t a big concern, but it’s not exactly as easy as brushing past someone and stealing their credit card information. One other thing to note, even with direct, prolonged access to a wallet, if there’s more than 1 card with NFC, you can forget capturing data reliably.

I could not read this card despite not having an RFID blocking wallet. Any interference from other cards made it next to impossible to read.

And any wallet that blocks RFID/NFC will pretty reliably keep your CC safe. 2/10: neat, but not very useful and the extremely limited range and reading ability would make just taking a picture of the card with your phone more reliable

Hotel keys

Yes, you can. Although it took significantly longer than reading and cloning my badge, which was surprising. There are some interesting details on these cards though that give a tantalizing look into what could be possible with the right know-how. For example, did you know the deadbolt is controlled by a key card? I didn’t.

Override deadbolt!?!

Also interesting with the cloning operation, you actually have to crack the encryption on the card. This process took close to 5 minutes on the Flipper, so you’re probably going to need more than a quick elevator bump to steal someone else’s card. Maybe a prolonged hug? Doubtful.

This cracking process took a while

So I would just leave it here as a 6/10: possible to clone, but requires prolonged access and isn’t easily pulled off in the wild without direct access to a card. But then I found this article. The details of this attack are not public, but it has been proven that you can clone even an expired card from the express checkout box, rewrite the data to make a master key for the entire hotel, and use it to get anywhere you want with impunity. That’s a full blown 11/10 if you could ever figure out how to do it yourself (update from the future, this may not be as difficult as I thought). Fortunately for hotel goers, the people who discovered this vulnerability have responsibly disclosed it to the vendor and many hotels have begun patching their systems to address it.

So for now at least, the Flipper isn’t going to let your averange script kiddie like me into your room in the middle of the night. But maybe don’t just rely on the deadbolt to save you. And those little chains/bars have been shown to be trivial to override. Maybe a simple door stop or chair against the doorknob trick will do?

Update from the future: I did manage to figure out how to modify the keycard data for Saflok systems, which is terrifying because I harbor no illusions about being some kind of brilliant hacker. So if I can make it as far as I did with a little head scratching and some python code… that’s bad news for hotel security.

Animal tags

Not much to say about this one. You can’t remote control your dog with it, but you can read their RFID tag. My dog was very suspicious of Flipper.

No, you may not eat the Flipper.

1/10: my dog still shits on the floor even after being reprogrammed with Flipper.

Misc

Infrared

Yes, the Flipper comes with an IR sensor and transmitter. You can use it like the ultimate universal remote. How useful is this? Well, you can cause low level mischief turning off menu boards at Popeye’s Chicken, or turning off those annoying infomercials and drug commercials on repeat in doctor/dentist’s offices. You can copy your own remotes too just by replaying the captured signals. Neat. But not that useful. I’ll give this one a 2/10: more convenient than carrying a full size universal remote in your pocket.

U2F

You can use your flipper as a hardware token for your second factor when logging into web apps. This is a nice feature, in my opinion. One of the selling points of the Flipper is that it’s a “multitool for geeks”, and being able to use it this way does add to the already good sized list of reasons to carry it around.

Games

Before you ask, yes, you can run Doom on it. You can buy a game module for it, but I can’t for the life of me figure out why you would waste you money on one. Woo hoo, I can play 2048 on a TV with an HDMI cable. Great. Save your money and buy literally anything else.

WiFi dev board

I thought about getting one of these, but I’ve come to the conclusion that it’s not worth the money either. First of all, it only works with 2.4ghz signals. There’s still plenty of them floating around, but that’s a big limitation. Not only that, but the toolset is very limited compared to something like Kali. And as it turns out, I have a Raspberry Pi 3B laying around, some high gain Alfa Networks USB wireless cards, and a handheld keyboard laying around that could easily be retrofitted into a frankenstein cyberdeck Kali setup. I also have an old Motorola G7 (I think?) that can be used as a Kali mobile device. Either way I think these are better options than strapping an ESP32 board to the GPIO pins of my Flipper. This cyberdeck deal I’m working on could easily interface with the Flipper via Bluetooth or directly via USB. With some 3D printed parts and a battery pack, I’ll have a ridiculous handheld haxxor device that will definitely not look suspicious at all at Starbucks. Look for a future article on this build. I’m sure it will be fun.

Conclusions

I didn’t set out to write a review, but as I look back over this post, it reads that way so let’s lean into it.

After a month of owning my Flipper, do I think it’s worth it? Yeah, I think in the end I’m happy with my decision to blow some of my hard earned cash on this thing. I would say that if you’re just buying it because you think it’s going to open doors at the push of a button and you’re going to strut into high security areas unimpeded, you’re going to be sorely disappointed. It is a tool, but it isn’t magic. And in a lot of the cases where you might be able to use the Flipper to gain elevated access, you could have just as easily used a much simpler technique.

Take the badge cloning as an example. A ladder and a clipboard could get you through just as many doors if you’re personable enough. Most people don’t question your motives when you look like you belong, and people like to be helpful, including holding doors for encumbered strangers. At my office I realised the other day that the lock core in one of the exterior doors is missing, which means you can literally open it with a screwdriver. Technology is cool, but it’s not always the best solution. Deviant Ollam said in one of his talks that I’ll never forget – “[lockpicking] is like the 9th thing on the list of stuff we try to get into buildings”. This is true of digital security as well. Yeah, patch your webservers, watch out for vulnerable applications, but don’t forget that it’s almost always easier to just ask the user for their password. The simplest, most straightforward way to get into something is just take advantage of the weakest link: people.

I’ve had plenty of fun just tinkering and thinking about what I could try next. And that feeling of discovery when you do finally manage to get it working with some device or access system is really hard to beat. If you’re like me and you enjoy a little casual mischief and don’t mind shelling out a couple bucks to gain access to a hidden realm of mischief you may not have even known about before, it’s probably a good investment for you.

© 2025 Gizmonicus Blog by Will T. is licensed under CC BY-NC-SA 4.0
v1.4.2
Built with Hugo
Theme Stack designed by Jimmy