Ex Russian hacker: problems with FBI, Flipper Zero, carjacking
KnightPentestHi everyone! Our best Russian specialist decided to share his experience:
1.Experience of using Flipper Zero
2. How can this toy harm you at university?
3. Chinese car industry VS Flipper Zero. All Chinese cars are unlockable.
And much more read here. This article is written especially for the best information security blog @mirea on telegram.
https://t.me/mirea subscribe. All Russians/Russians are the best specialists here, the whole gang.
I make up aliases for our hackers myself. Let's call him Conti_niy.
Interview with Conti_niy
KnightPentest: Hi, tell me what you're doing at the moment.
Conti_niy: I'm playing flipper again) I learned how to roll codes of alarms to catch. Now I can open 90% of cars)
upd: https://xakep.ru/2015/08/07/rolljam/ (about rolling codes)
KnightPentest: I want to try it too. Where to start
Conti_niy: You open github, unlisted firmware, and start looking for a branch about rolling codes. And they write everything there. But the idea is rather to update the software for subgerz. Because the stock can not decode the signal correctly
KnightPentest: This is all good) But where can I practice to not break the law, I do not have a personal cyberpolygon of cars like you. How to not break the law?
Conti_niy: Purely technically, it is possible to open other people's cars, the main thing is not to get in there) not to become a party to a crime).
KnightPentest: Were you able to lock the cars back up?
Conti_niy: Yes, the entire key was registered.
KnightPentest: What kind of cars were they? Chinese?
Conti_niy: Various, there's a normal selection. Not all Germans open. Audi a7 did not open on the stock signal. Some old magicar signal also did not open, although there seems to be no rolling codes and you can just send bin raw and it opens. Chinese all open, but not all will leave then. I saw a mass disconnector on the haval, if suddenly there is no tag in the cabin.
KnightPentest: At what distance from the Chinese car you are to read the key and everything else.
Conti_niy: Without an antenna you need to stand near) 3-5 meters maximum. With an antenna if there is no interference, meters 100-120. But it seems to be the most powerful antenna on the flipper. I have somewhere somewhere short, it is for 50 meters. Costs $12, I think the antenna 100-200 meters.
KnightPentest: Cool. And how do you realize what kind of Chinese you caught, if there are 10 identical cars in a row next to each other?
Conti_niy: Well, you can visually see which car key you caught the key from. Well, all the same, you can not steal) Well, most) Like disarm, does not mean to start) But here shya wondered if you can snatch the radio signal for keyless access) I know that the fishing rod can be a key signal to unlock, but it's difficult to do it.
KnightPentest: You've already got a list of cars that open. It doesn't matter if they start or not, the main thing is that they open. Which Chinese is the easiest to break in a few steps?
Conti_niy: They're almost all unprotected. You know where a little bit fiddled with? On ziker. Hiphi. On the relatively expensive segment. Changans and Haval open up and get stolen. And it's not about the flipper, it's about the security gap. The same Toyota Land Cruiser 300, you even if you open, dick steal) Well, and here is kst yes. You can't write a key from a Cruze
KnightPentest: How many steps does it take to break the simplest fucking thing? Just by reading the article and repeating it will open it? By time +- you have how much time it takes for 1 car if you already know what to do.
Conti_niy: So you're just catching the key signal. Like, you get the signal, you open the car. It's just that there's always been code grabbers) And they just put the code grabber software in the flipper.
KnightPentest: It's like a reverse shell, basically. You turn on the wiretap and wait for the victim to take an action.
Conti_niy: I'll let you in on a secret) but for the last 10 years cars have been stolen in this way) Now it's rare to open dirty, when they break something there) Fuck it all, if you can transmit a signal from the owner's key by radio
KnightPentest: And that someone is able to successfully steal and get away with it?
Conti_niy: I think so. Look on youtube "угона нет". Of course they do not tell much technically, but they tell) Like how to steal this or that) and how to protect the car. A lot of technical information will not be there, but in general it will be clear at least how they steal nowadays.
F0 Private Firmware support list:
ALUTECH / АлюТех (AT-4N + New 2024 all);
AnSonic;
BeTT;
BinRAW;
CAME Atomo (Secure PRO+);
CAME 8/12/16/24 bits (all + new);
CAME TWee + TWin (+ new all);
CFM (diff. algos);
Chamberlain (diff. new and worldwide MULTIBAND protocols);
Clemsa / MutanCODE;
DoItRand (systems co. inc.);
DooYA systems;
FAAC SLH / SPA (Secure with SEED 64bit custom 2024 encryption with new V_4.0 original protocol);
GateTX;
HOLTEK (HT12X);
HoneyWell WDB systems;
Hormann;
iDo (x24);
InterTechno v.3;
KeeLoq / KeyLog (common + ALL*);
KIA + Hyundai AM + FM;
Subaru;
KingGates (Stylo, 4K);
Linear (code delta, v.3);
Linear (common);
Magellan;
Marantec;
MegaCode;
Nero Radio;
Nero Sketch;
Nice Flo 12/24;
Nice Flor-S + One (secured + new 2024 models 52-72bit)
PhoeniX (+v.2);
PowerSmart;
Princeton (all TE + bits);
Scher-Khan (detect and decode only for current version);
SecurityPlus+ (v.1 + v.2);
SMC-5326 (variety of remotes);
Somfy (KeyTis + TeliS);
StarLine (diff. + all*);
TANTOS (in beta test currently*);
Derrow;
d700 unit (v.1);
EcoSTAR (RSC2/RSE2/RSZ);
Genie (+custom, beta test now*);
GLA CU X2;
GLA CU X3 R5 (in bets test now*);
Model_7E_custom (bets test now*);
IL-100 (+new systems);
Iron Logic (+new systems);
SEA (+new systems);
Came Space;
GiBiDi;
Beninca (variety of modes);
MutanCode;
BFT;
Sommer (+fsk476);
AllMatic;
EcoStar_dop;
Sommer_dop;
Comunello (+new systems);
Elmes (Poland);
FAAC (+ RC / XT systems);
Genius (+ Echo / Bravo systems);
GSN systems;
JCM tech. systems;
Jolly Motors systems;
Normstahl + Entrematic (+ new systems);
DTM + Neo;
Beninca/Almatic dop.
NICE SmilO + new;
NICE mHouse + new;
Dea + MIO systems;
NOVOferm systems;
ApriMatic TR new+;
DooRHan;
Alligator D-950;
Stillmatic;
Schellenberg;
MonGoose;
SL A6-A9 + Tomahawk 9010;
Pantera CL 3T;
A2-A4 KGB-TFX-5 systems;
CenMax ST-5 systems;
SL b6-b9 dop;
Harpoon;
Tomahawk TZ 9030;
TomaHawk zx-35;
CenMax ST-7 systems;
SheriFF;
GUARD (+ RF 311A systems);
Partisan RX;
APS 1100 + 2550;
Pantera XS + CLK;
JAGUAR;
APS 2800;
CenMax A-900 systems;
CFM-4 Alligator (S-275 systems);
CenMax ST-5 dop;
LeoPard systems;
PharaON systems;
ReFF systems;
FLOR KL+ systems;
Ford, Honda - soon;
And 300+ yet untested / in beta test
This is what can open/record from the radio
KnightPentest: What if I have a Chinese. How do I protect myself from the flipper?
Conti_niy: Put a tag to break the ground
KnightPentest: Have you checked anything on this list yet?
Conti_niy: Yes you stop, I from this list in my life saw 10% of everything) What something tested) Pandora Starline Exactly fucks. And these are the most popular in the Russian Federation. + there are also all kinds of slagbaums and everything that works from the radio. SheriFF it is for example from security sensors in general, you know) Like something that can be sent to the security desk in the house.
KnightPentest: What can not be bought for a flipper (to attack) or for a car (to defend) in free access. Have you run into trouble conventionally finding the right antenna or something like that?
Conti_niy: Everything is on sale. What is not available you can make on your knees
All schemes are in the public, you just need to know how to hold a soldering iron.
KnightPentest: Seriously, if I go to someone else's Chinese without permission to open the flipper, I have not broken the law?
Conti_niy: You have. But if you stay out of it and close it afterward. And do it all for sport. You ain't gonna get fucked. There's no felony. Forget it, I went to the local FBI and ble spam, they tried to fuck us up, they couldn't, we were already overseas, They were fucking pissed off at the nerve of it.) Of the real fucked up things you can make out of a flipper and get your ears kicked for. A jammer. But it will be difficult to make it) because the schemes in the Internet dick.
KnightPentest: ble spam - previously Bluetooth-connected devices on an attacked smartphone or PC, such as mice and keyboards, may stop responding during spam emails. Doesn't that get a kick in the ears?
Conti_niy: No, you didn't steal anything. It's not your problem that they are visible to others. It's like free wifi) Well in the government do not use such keyboards and mice) Well, at least in the FBI I have not seen not once) tok in hospitals such a luxury.
KnightPentest: Tell me how you met the Feds?
Conti_niy: How did we meet? They broke my door down. A little bit of me. But that was a long time ago. And it's not true:))))
KnightPentest: Is it worth buying Flipper Zero in 2024?
Conti_niy: I think there's something better than the Flipper already. Hackrf101 and 102
KnightPentest: Well with Flipper you can at least help me in trivial moments. And with this fucking thing, fuck knows.
Conti_niy: I can not help myself, and you here) A month fucking intercom can not open) well I'm just lazy to read what is wrong with it. But purely by chance this will not happen) I either go to read what 1 and 0 to send, or never open this fucking metacom).
KnightPentest: Ahahahahahahaha. I'm cooler than you on this one by the way. I opened the intercom on phdays I had to press 3 buttons at the same time worn out
Conti_niy: Oga oga) and I'm trying to generate a master key for rfid. Well, here is not kataty stock methods there, because it is part of the scud and probably configured something, so I can not brute force it, it just does not give) 5 errors and wait a minute).
And it doesn't hack stock keys. Writing someone else's tag didn't work either for some reason. But the weird fuck that they use not rfid key fob but mifare cards.
KnightPentest: What's the most interesting thing a student can do in an American lecture hall. There is a computer, a mouse, a keyboard, and a big projector.
Conti_niy: The projector can be turned off. If you get access to a computer, you can do anything, you know. The question is how to get access) I would certainly suggest to go extremely far and just hack into the network sharaga. But you'd probably get fucked for that faster than you'd get anywhere. The point of entry can be even an internet cable on the wall, but you'll have to cut it to listen) I once built a traffic sniffer, but based on a media converter.
Funny shit in general, but the scope of application is narrow) Consider that the current espionage) Purely technical, nothing prevents to send a signal and spoof packets (we're talking about the cable). But I just for myself saw it once as a sniffer and quite compact. If, of course, to remove the signal from twisted pair
KnightPentest: Is it easy to jam the entire audience with mobile internet and bluetooth?
Conti_niy: For the Internet and communication in the ass fucked) jamming can not. No, as if you can yes, but not homemade) with a face, permission, blah blah.
KnightPentest: I mean how many flippers would it take to jam an auditorium of 50-100 people with bluetooth and mobile data. The more flippers, the easier it will be, right? Won't they interfere with each other?
Conti_niy: You just need an external antenna and that's all. And there will be normal coverage. Wifi module just buy a module and jam the bluetooth with it.
KnightPentest: A lot depends on the device? What is more difficult to put ios device or android?
Conti_niy: Ios 15 version goes into shutdown) Not one device does not reboot anymore, only them).
KnightPentest: PC or cell phone. What's the difference here?
Conti_niy: On a pc it won't jam the screen. On mobile will just be difficult to press something) Well technically the difference is 0 same. It will be just endless connectivity of the new device. I haven't tested a mac. It's like it doesn't give a fuck. There's even vibrators, you know) But I don't know what the chance is of catching it and whether it works. Kitchen appliances get spammed too
KnightPentest: Is it realistic to connect to airpods max and change the sound without notifications?
Conti_niy: No. Only if you connect them honestly by entering codes.
KnightPentest: And marshals? Or other wireless ears
Conti_niy: You can't really hook anyone, that's why it's spam. Like, even handshake exchanges can't be spammed. It's not like wifi)
KnightPentest: Ideally, what should a lecture hall look like so that it doesn't get jammed and an intruder doesn't get into the computer?
Conti_niy: I think that fuck just will be, you can not at the lecture damage with this) Those who fuck plugged into cell phones upset tok. In 99% of cases there is no bluetooth on the working PC) there are old connectors not even usb) Lecturer will not give a fuck. At most you can turn off the projector and that if you hit it with a beam).
KnightPentest: So in essence it will only be useful. The lecturer will be heard😂
Conti_niy: So it would.
KnightPentest: Have you flown in a private plane or helicopter? Would you risk a flipper there when you're in the sky? 😂😂😂😂😂
Conti_niy: And what will you pick up there without knowing how everything works there?)
Well, it's a minimum of knowledge) there's even less information) and fuck on-board systems, they're on wires) wire is more reliable for now.
KnightPentest: An intruder with a flipper would have no way of harming the onboard system during flight?
Conti_niy: It's got double foolproofing, don't worry).
KnightPentest: In general, will such a toy be allowed on board?
Conti_niy: And what this tamogochi can harm).
KnightPentest: In business class they give a tablet and there is a network to watch movies, courses, read books. Will the jamming be able to do that?
Conti_niy: The laptop can really be more damaging) because there are more possibilities. It's not forbidden to take it with you) Hz, you need to know how it works, not pointing fingers at the sky) I'm telling you) it's like with the intercom) you either know and know how, or pass by) In theory, you can do anything) You have few limitations) A couple of three fundamental interactions of physics and that's enough)
KnightPentest: You are a hacker, and you said thief777:)) Thanks a lot for sharing your experience with the community.