____   _                         _         __  __      
 |  _ \ | |__   _ __   __ _   ___ | | __    |  \/  | ___ 
 | |_) || '_ \ | '__| / _` | / __|| |/ /    | |\/| |/ _ \
 |  __/ | | | || |   | (_| || (__ |   <  __ | |  | |  __/
 |_|    |_| |_||_|    \__,_| \___||_|\_\|__||_|  |_|\___|

                [ Security Research ] 

Overview

The Flipper Zero is a swiss army knife for security researchers, but it has limitations when it comes to RFID. While the stock Flipper can read and emulate certain RFID tags, it lacks long range capture, storage, and exfiltration capabilities that would make it really useful in physical security testing. This is where the RFIDThief board for the Flipper Zero comes in - a custom RFID bridge module that transforms your Flipper Zero into a complete RFID attack platform.

The board presented at BSides Canberra 2024 bridges the Flipper Zero with the ESP-RFID-Tool to create a seamless, real-time RFID capture and replay system with offline exfiltration capabilities. Think of it as “ESP-RFID-Tool/ESPKey capabilities with Flipper Zero usability.”

Want one but can’t be bothered building or coding?:

• RFIDThief Tindie

Demo

Hardware Details

The RFIDThief board features:

• ESP32C3 microcontroller acting as the bridge between Flipper Zero and the ESP-RFID-Tool
• I2C OLED display showing real-time captured card info and system status
• NXP NTAG I2C Plus 2K NFC chip for secure offline exfiltration of captured credentials
  • energy harvesting for identifying HF readers
• IR blaster capability for targeting IR enabled monitors or cameras
• UART connection to the Flipper Zero
• WiFi connection to the ESP-RFID-Tool

System Diagram

Architecture

As shown in the diagram above, the RFIDThief board forms a bridge between the Flipper Zero and the ESP-RFID-Tool. The system consists of three main components:

1. ESP-RFID-Tool: This device connects directly to door access control readers via Wiegand lines. When a legitimate user swipes their card at the reader, the ESP-RFID-Tool captures the raw data, logs it, and makes it available through its HTTP API.
   • buy it on Amazon, AliExpress, Lab401, OzHack or Hacker Warehouse
2. RFIDThief board: This custom board contains:
   • ESP32C3 microcontroller that connects to the ESP-RFID-Tool via WiFi and to the Flipper Zero via UART
   • I2C OLED display showing real-time card data and connection status
   • NXP NTAG I2C Plus 2K NFC chip for offline exfiltration
   • IR blaster for pwning IR enabled monitors or CCTV cameras
3. Flipper Zero: The main user interface running a custom .mjs application that provides:
   • GUI for sending api commands, viewing logs, viewing cards, capturing cards
     • lightweight mJS console application also available
   • Card storage and management
   • UART connection to the RFIDThief board
   • MOSI connection to the RFIDThief board’s IR array

API Commands

The system supports eight powerful API commands that can be sent from the Flipper Zero through the RFIDThief board to the ESP-RFID-Tool:

1. listlog: Lists available log files on the ESP-RFID-Tool
2. viewlog: Returns all saved card data in both binary and hex formats
3. info: Returns ESP-RFID-Tool board file system information
4. fuzzer: Launches a fuzzing attack against a reader
   • can transmit simutaneously on D0 and D1 or alternate between the two
   • can transmit a set number of bits or continous (DOS attack)
5. stoptx: Halts all active transmissions
6. deletelog: Cleans the current log file
7. pincode: Transmits a PIN code to a keypad reader
8. txbin: Replays or transmits a card to a reader in binary format
   • any binary can be transmitted not only card data

How It Works

When a user swipes their badge at a door reader, the following sequence happens automatically:

1. The ESP-RFID-Tool captures the Wiegand data from the reader and logs it
2. The ESP32 on the RFIDThief board polls the ESP-RFID-Tool log file every few seconds via WiFi
3. When new card data is detected, the ESP32:
   • Parses the data (facility code, card number, raw hex)
   • Displays it on the OLED screen
   • Writes it to the embedded NFC chip in NDEF URI format (for offline access via any NFC-capable phone)
   • Sends it to the Flipper Zero via UART

The Flipper Zero then:

• Saves the card data in its storage as an .rfid file
• Shows the data in its GUI
• Can replay the card data

The Flipper Zero can also send a pin, DOS or fuzz the reader at any time.

Exfiltration Capabilities

Each captured card is automatically written to the on-board NFC chip in NDEF URI format. This means:

1. Tap your NFC-capable phone to the board to retrieve the last captured credential
2. No need to power up the Flipper Zero or maintain a connection during exfiltration
   • no need to use the Flipper apps sharing function if data custody is an issue
3. Regardless of NFC all credentials are saved to SD card in Flipper format for emulation with dynamic filename: <TYPE>_FC<NUMBER>_CN<NUMBER>.rfid

Practical Applications

This system opens up several possibilities for physical security testing:

1. Red Team Operations: Deploy into target readers, or pair with a weaponised reader to covertly capture legitimate credentials
2. Badge Cloning: Captured credentials can be emulated by the Flipper Zero
3. Reader Testing: Use the fuzzing capability to test reader robustness or identify new vulnerabilities
4. Multi-Format Support: Works with common formats including HID, EM4100, and others
5. PIN Bruteforcing: Send PIN codes to keypad readers

Combining with Tastic RFID Thief for Credential Harvesting

While the board is great at proxying and capturing credentials with an ESP-RFID-Tool deployed in a mounted reader, its capabilities can be expanded by pairing it with a Tastic RFID Thief for on-the-move cred capture.

The Tastic RFID Thief is a long-range weaponized RFID reader capable of reading cards at distances up to 50cm or more. By combining both tools, you can create a comprehensive credential harvesting system:

1. Extended Range Capture: Use the Tastic RFID Thief’s long-range capabilities to silently read cards in crowded areas without arousing suspicion.

2. Bidirectional Attack: Every time a card is captured with the Tastic, it is automatically transmitted and saved on the RFIDThief board/Flipper Zero combination for immediate replay or emulation.

3. Real-time Processing Pipeline:
   • Tastic RFID Thief captures credentials on the move
   • Captured cards are automaticaly transferred to the RFIDThief board via WiFi/ESPKey
   • RFIDThief processes and formats the credentials for the Flipper Zero
   • Immediate storage, replay, emulation or exfiltration
4. Combined Exfil Options:
   • RFIDThief’s NFC chip allows for tap-and-grab offline exfiltration
   • Flipper Zero stores formatted .rfid files ready for emulation

Setup

1. Deploy the Tastic RFID Thief in a backpack or laptop bag
2. Plug in the board and listen for captured cards
3. Immediatly emulate captured cards and gain access
4. As you gain further access capture more cards on the move

This approach gives both the mobility of the Tastic RFID Thief and the processing/replay capabilities of the ESP-RFID-Tool, which is a decent testing toolkit that works at every stage from credential harvesting, to capture, emulation to replay.

IR Blaster

One useful feature of the board is the integrated IR blaster. When combined with the Flipper Zero’s huge IR command library, this creates plenty of opportuinties for physical security testing:

1. Security Monitor Disruption: Many surveillance systems use IR remote control signals. The IR blaster can transmit power-off sequences or menu navigation commands to temporarily disable security monitors during red team operations.

2. CCTV Camera Control: Quite a few commercial CCTV cameras use IR protocols for configuration and control. The RFIDThief can transmit commands to:
   • Disable motion detection
   • Change recording settings
   • Enter configuration menus, potentially exposing vulnerabilities
   • Power-cycle devices
3. Universal Approach: The Flipper Zero can store and transmit many IR signals, making this a universal tool against IR-controlled security devices regardless of manufacturer.

In practice, this allows for creating temporary “blind spots” in surveillance coverage without leaving evidence of tampering.