- [David] Let's see how
powerful this Flipper Zero is and what it can do and make you
aware of the vulnerabilities with technologies that we use every day. (rock music plays) Only do this type of thing on products that you own or
have permission to test on. In this case, I own all of these devices so that's why I'm testing them. In this video, I'm
continuing my series talking about the features and
functionality of the Flipper Zero. In a previous video,
which I've linked below I showed you how to clone
key fobs using RFID. In this video, I want to
take it a step further. I want to show you how I can crack locks using the Flipper Zero. So in other words, capture signals and replay them to unlock
various types of locks, show you how to capture
signals from doorbells and replay them. But probably the one that
most people are interested in is how I can capture signals from key fobs and then replay those signals. (R&B music plays) Now there's a well known CVE
relating to Honda vehicles. This CVE 2022 27254 allows hackers to remotely start and unlock Honda Civics
with, in this example, The Register is saying $300. You could actually do
it with a Flipper Zero. You don't have to. In this article from The Register, they talk about how the
researchers were able to capture the unencrypted RF
signals and then do things such as open doors, close doors, and remotely start the vehicle. In this example, they
were using a HackRF One. So in other words, one of these devices. There are many types of devices out there that can be used to capture
signals and replay them. This is one of the most
popular and well known devices. The same kind of thing can
be done with a Flipper Zero. What you can do is use it
to capture the signals. So in this demonstration,
the doors are unlocked, but once the signals are
captured, they can be transmitted to the vehicle and the
car can be opened up. This doesn't work with all vehicle types. A lot of modern vehicles
use rolling codes. So just by capturing a signal doesn't mean that you can replay it. (R&B music plays) In a previous video,
which I've linked below I had a whole discussion with Occupy The Web where we discussed if it's possible to do this type of thing as was demonstrated in
the Mr. Robot TV series. - [Speaker] What they did
in the show, they're sitting on a, like a porch step, and
a woman is leaving her minivan on the street and she locks
it with her key fob remotely. There's a number of different
strategies for being able to unlock this vehicle. One of them that they may have done, it works in some cases, is you
can simply jam that signal. So somebody goes ahead
and pushes the key fob to lock the door. I can jam it and by jamming
it, the signals never received by the vehicle and the car never locks. The weakness of that
strategy is that people often will listen that little beep
that says the car's locked but some people don't. Some people just carelessly
push the button and keep going. But now we can pick up these
signals and transmit signals with very inexpensive
receiver transmitter and then use the computer to be able
to manipulate those signals. Now, one of the things
that's important to note is that whenever you work in radio
signals, any device that is using a part of the
radio spectrum has to be, be registered with the FCC. So if you have a question
about what frequency the device is using, all you
have to do is look at the back of the device and it'll
have an FCC number on it. Look it up. It'll tell you exactly what
frequency it's operating at. - Often what you're gonna have
to do is block the signals with the rolling code somehow. So block the signal, so that you can capture
it and then send it to the vehicle to unlock
the car as an example. Okay, but in this example,
I'll take a remote and what I'll do is plug
in the Flipper Zero. You don't have to have the
Flipper Zero plugged in. I'm only doing it for
demonstration purposes so that you can see what I'm doing. So I'll go to the menu and in this case I'll go to Sub-Gigahertz and the first thing I'll do
is go to Frequency Analyzer. This will allow me to analyze the signals. So what I'll do is I'll
press the unlock signal on the remote. Here's that again. So you can see it's in the
frequency range, 433 megahertz. I'll lock the vehicle. And there you go. The vehicle is locked. Now to capture the signals, this won't work in my demonstration but researchers have got it
working with Honda vehicles. Here's another example of that. (R&B music plays) I'll go to Read RAW and what I'll do now is
press the unlock button but you'll notice nothing's happening because I'm using the wrong signal range. One of the things you may
have to do is go to Frequency and adjust the frequency to
a range that's very close to the frequency that
you captured originally with the frequency analyzer. You may also have to play
around with the modulation until you get the right
frequency and modulation. So now that I've done that I'm going to press record and
I'm gonna unlock the vehicle. And notice you can see some
spikes where I'm locking or unlocking the car. So you probably don't
want to record that many but you could save that as
an example as let's say car. And just specify the
car that you're going to save the signal as. So as an example, save and you can just press send
to send it to the vehicle. Now, if it was a Honda that
was open to this type of attack the door would be unlocked as an example. So a tip here is whenever you
are doing this type of thing go to Frequency Analyzer
to analyze the signals that were captured. So as an example, if I
capture this doorbell these are not currently
plugged in, but just to show you the signal, you can
see that this is 4 33 8 79. When you go to the Read RAW
option as an example config you're gonna wanna make sure that you're using the right range. So 433.92 in this case. And then when I press record, notice I get a nice clear signal. You want to get as
obviously as large a signal as you can and that you
just need to work out based on the frequency and the modulation. Now, if you're driving
another brand of vehicle hopefully it's not open
to the same kind of attack but there are other
vehicles out there that have similar kind of problems
where a replay attack can be used to attack the vehicle. - [Speaker] And I've
got it centered on 315, the 315 megahertz. The reason I have it centered there is because that's where the key fobs that the car manufacturers make that's where they operate
in the US and Japan. In Europe, I think they use
4, 433.9, but I'm in the US. I'm using a US Japanese key fob (laughs) so it's gonna be probably
in the 315 megahertz range. - So now let's look at some
of these locks and doorbells and I'll show you how to
capture the signals here and replay them. (R&B music plays) I would be very careful using bike locks such as this one that
support a remote button to unlock the bike lock. This is one of two bike locks
that I've bought from Amazon. Here's another example. I'll test both of them in this video with the Flipper Zero and see
how good they actually are. In this example, this lock is unlocked. I'll lock it by pressing the lock button on the key. Very loud. So I must warn you it's quite
loud, but that's now locked. If I move it, it's gonna set off an alarm but at the moment it's locked. So I can't unlock this. If I press the unlock button I'll be able to unlock the lock. So what I'll do with the Flipper Zero is go to Sub-Gigahertz. This allows me once again to
capture all kinds of signals. Car signals and so forth. I'll go to Frequency Analyzer to make sure that I can get the right signal and I'll press unlock on this button and you can see that the
frequency is 433.859. That's really important because otherwise I don't know
what frequency to capture. I'll go to Read RAW, and at the top here you can
see that the signal is 433. So that's the right signal range. I'm gonna press record and I'll press the button. And I'll press stop. So I've now captured that
signal and I'll save that. Let's call it B10 and I'll save that. I don't have to save that. I could simply send it. So as an example, I'll send it and notice the bike lock
accepted the signal. So what I'll do is, again, it's unlocked. I'll lock it using the remote. That's now locked. I cannot unlock the
bike lock at the moment. - [Man] Oh, he's stealing! He's stealing. - You'll notice the alarm went off there because it moved, but what
I'll do is send the signal and notice now I can simply
unlock this bike lock and if I was a bad person,
I could steal your bike. - With great power comes
great responsibility. - So I'd be very careful trusting locks such as these on my bicycle. It's too easy to grab the
signal from a remote like this and just replay it. In their documentation
here, they talk about how great this is. It supports 256 kinds of passwords. A four digit code can be used
here and all kinds of things but honestly with a Flipper Zero if you can capture the signal,
you can simply unlock it. Okay, so that was the
first bike lock, not great. Okay, here's another one. So this is a motorbike
bicycle anti-theft alarm but let's see how good it is. This thing, I'll warn
you, makes a lot of noise but what I'll do for
the moment is lock it. And then I'll unlock it. Terrible amount of noise. So I'll be deaf by the end of this. Hopefully not. Okay, so once again, go to Frequency Analyzer and
if I press the unlock button I can see it's 433
megahertz, go to Read RAW. It's set to 433 at the moment, so that's great. If someone did press the unlock button and I was recording that
signal, I've now captured it. So what I'll do is save
that as let's say bike two. Okay, so again, you're going
to want to use a better name than that, but that's
fine for this example. So what I'll do here is lock it. If you move it and just
be careful of the noise. (alarm sounds) What I'll do is send the unlock signal. So hopefully that's not gonna go off and notice it doesn't,
even though I'm moving it. I was able to unlock that
alarm with the Flipper Zero. That's always the big if in any kind of real world application. You're going to need to be
able to capture the signal from the remote as an
example, and capture that on your Flipper Zero, and
then be able to send it. You may like those kind of locks. I personally would be careful using them. (R&B music plays) Okay, in this example,
I've got a door chime. So something that you'd have
at your home as an example. Again, on the Flipper Zero,
we can capture those signals. So I'll go to Sub-Gigahertz and I'll go to Frequency Analyzer. You don't have to use
the Frequency Analyzer if you know what range to use. (doorbell rings) This just shows us the range of signal used. In the UK as an example, we often have to use a range
in the 800s rather than 433. But what I'll do in this
example is I'll go to Read RAW and I'll record. (doorbell rings) And I'll stop that and let's send that. (doorbell rings) And you'll notice as soon as I press send. (doorbell rings) That rings. So you could drive your neighbor crazy if you went to their door as an example and I'm not recommending that you do this and you press this
button, capture the signal and then you walk away
and constantly, you know ring the doorbell. Not a good idea, but that is a weakness as an example in doorbells like this. Here's another one and same thing, really. - [Narrator] One frequency analyzer later. - Record. (doorbell rings) I've saved that, so I
won't touch the button. I'll just press it on the Flipper Zero. (doorbell rings) And again, you can see (doorbell rings) that's working. Simple as that to capture
signals from a door chime. They don't have rolling codes so very easy to capture it and resend it. (R&B music plays) Okay, here's another device. This is an alarm system. Once again, all I'm gonna
do is go to Sub-Gigahertz and I'll go to Frequency Analyzer. And as an example, I'll
press the unlock button. You can see this is in the
frequency range 868.309. So it's a different frequency range to the default on the Flipper Zero. So when I go to Read RAW, I'm
gonna go to config and this I'm gonna have to change up to 868. And then again, I might
have to play around with the modulation to
get the right modulation. But if I press record, notice there's the signal
from the alarm system and that would allow me
to turn off the alarm. Now, in my tests of this, this
is also using a rolling code. So you can't just simply replay it. What you'd have to do is block the signal and somehow capture it and then replay it to
unlock the alarm system. But if you've managed to
do that, you could simply press send to send the
code to unlock the alarm. But in my tests, this didn't work. Okay, I hope you learned something. I hope you are enjoying these videos that I'm creating about the Flipper Zero. I've had a lot of comments on some of the videos saying that
it's not that powerful but hopefully I'm showing you some of the other features
available with the Flipper Zero. One of the comments were it's too obvious to have a
orange device such as this but notice that's just a
cover on the Flipper Zero. This is a nice little device that can fit into your pocket, but
it's not the only device out there that can capture
signals and replay them. As mentioned, one of the devices
that's been really popular over the years is a HackRF One. So there are other devices out there and if you wanna learn more
details about car hacking have a look at my video below where I interview Occupy The Web and we go through a lot of this
in a lot, a lot more detail. I just wanna show you some of the possibilities
with the Flipper Zero. Now let me know if there
are any other options you're interested in learning about. I haven't covered everything. I still wanna cover GPIO,
and I wanna show you how to hack wifi networks
using the Flipper Zero. I haven't shown you iButton but here's some B-roll showing
you an example of that. (R&B music plays) I've also not shown you
two-factor authentication. I'll show you that in a separate video. Let me know if there are
any other applications or questions that you have about this device and
I'll try and answer them. Now, if you enjoyed this video, as always, please like it. Please consider subscribing
to my YouTube channel and clicking on the bell
to get notifications. I'm David Bombal and I wanna
wish you all the very best. (rock music plays)
