I was about to get a “Doorbird” Video Door Station with RFID for door opening.
Long story short, my research got me to Flipper Zero.
How safe is it? In media you see a lot of car thefts where an antenna is used to grab the keyless-go data from behind a door. Could some one grab the data from a key fob in the same way?
Can Flipper copy every key fob?
Thanks
These are two different kinds of attack.
The first you mention is to extend the range. You need one person on one side, near the fob. If the fob is in range, the signal needs to be converted in something you can send over another media and the second person at your door is replaying the captured signal. Works even with bidirectional communication, if the media to transfer is fast enough.
No, the Flipper Zero is not capable of this kind of attack.
The second one is to clone the key. The advantage is, the independent from the owner, if you’ve had access once. But the detail depends on different factor.
If the door is just checking the UID … Very easy to get in with the flipper.
If the door is asking the sectors from the card/fob, the flipper needs to know the keys … A little more effort is needed.
If the card/fob is speaking some kind of property variation of NFC or RFID, the flipper maybe is not the right tool to analyse it. There are some devices like the Proxmark3, Chameleon, HydraNFC, that could be more suitable.
Just in general, without any knowledge of the Doorbird system in detail.
And because I’ve wrote this out of memory on the road, here some further details:
Card cloning - Copy the card. Possible with FZ at special circumstances. See above. Very depending on the RFID card/Fob itself.
Eavesdropping - Sniffed communication between reader and card. The FZ is not made for this action. Mainly because the FZ is converting the signal in 0 and 1, so there is not a really RAW signal.
Replay attacks - Capture the signal from the card, and replay it when needed. To do this you need to know what the reader will send to the card, and the FZ needs to act as a reader. Not it’s strong suit.
Relay attacks - The first mentioned attack vector. Not impossible, but hard to realize with two flippers.
Denial of service - Just use the sledge hammer. Maybe the MCU in the FZ is fast enough to overload the buffer of a reader. I haven’t read of this in the wild by now.
But what is not included today could be available soon. The development is still ongoing. Lately I’ve read the NFC-V UID can be read: [FL-2182] NFC-V UID show fix by gornekich · Pull Request #955 · flipperdevices/flipperzero-firmware · GitHub …
Now I’m missing just NFC-F and Legic. Although the second one seems to be very proprietary.
BTW, I’ve read a detailed analysis (slides). It was proprietary - but just like Crypto1, which is already here.
Nice to know. thanks a lot for this information.
My Legic Fob is still unreadable, as it doesn’t exist, with newest firmware.
Yeah, not yet in Flipper.
A RFID lock is about the same as a cheap keyed lock in my opinion. Let’s compare.
Non targeted attacks.
I could probably open your current lock with a lock pick very easily. Attacking a lock with RFID is a similar risk factor. To open your current keyed lock I would use a raking attack which put in simple terms simulates many different key combinations. To open an RFID lock I would use an RFID fuzzer app with the Flipper. That is the equivalent of raking.
With a keyed lock you would use anti bump springs and security pins. The equivalent to protect a wireless lock would be using NFC or Bluetooth instead of RFID. Some NFC tech is better then others though.
Next let’s look at targeted attacks.
If I were targeting you specifically I would take a picture of your key to bypass a keyed lock. The protection to this is not leaving your key out and possibly getting a lock such as the Everest or Mul-T-Pick(me showing off my skills) that is hard to copy. With RFID I would copy your RFID fob or card. The protection here is RF blocking wallets and not leaving the fob/card out.
Summary
Would anybody actually do this? It’s extremely rare that anyone would pick your lock. It’s just as unlikely someone would copy your fob or fuzz your lock. If you are in the US chances are pretty good you have a window near your door and a thumb turn inside. Most criminals will break the window, reach in, and unlock the lock. You have the same problem with an electronic lock. Alternately they just bust the door in.
Suggestions
For security I use an alarm and a dog to alert me. If you didn’t pay a lot of money for your mechanical lock, you don’t have bars on your windows, you aren’t a target of domestic violence/stalking, you aren’t a celebrity or otherwise important person that may be targeted, RFID may be acceptable. I prefer a lock that accepts Bluetooth or NFC though. It’s not going to be more expensive for a Bluetooth based lock. If you are a person that might be targeted for some reason don’t use RFID.
If you do have any reason to think you are being stalked or were a victim of domestic violence I can make some security recommendations.
Thanks guys for your thoughts and the information! Much appreciated!
There are secure ways of implementing the use of rfid, expecially with new desfire cards and using incremental fields on the cards so you kinda keep count/track of how often a badge is used and if that value does not match it does not let you in with a old copy, but those proximity cards and mifare 1k-4k cards even with some aditional security are way to easy to clone if that is your biggest concern of security.