Overview

The Flipper Zero is a swiss army knife for security researchers, but it has limitations when it comes to RFID. While the stock Flipper can read and emulate certain RFID tags, it lacks long range capture, storage, and exfiltration capabilities that would make it really useful in physical security testing. This is where the RFIDThief board for the Flipper Zero comes in - a custom RFID bridge module that transforms your Flipper Zero into a complete RFID attack platform.

The board presented at BSides Canberra 2024 bridges the Flipper Zero with the ESP-RFID-Tool to create a seamless, real-time RFID capture and replay system with offline exfiltration capabilities. Think of it as "ESP-RFID-Tool/ESPKey capabilities with Flipper Zero usability."

TLDR;

This board connects to an ESP-RFID-Tool:

• as access cards are captured the RFIDThief parses, formats and saves the card data to the Flipper's SD card in Flipper format ready for emulation.
• the parsed card data is displayed on the OLED screen upon each new card capture.
• you can transmit replay captured cards, send raw binary, pin codes, fuzz or DOS an access control unit.
• all captured access card data is saved to SD card in Flipper format for emulation and the most recent capture is stored on an onboard NFC tag which you can retrieve using your phone or proxmark etc.
• it has an IR blaster on the back of the board.

watch the Demo:

Demo

Flipper Zero RFIDThief

Hardware Details

The RFIDThief board features:

• ESP32C3 microcontroller acting as the bridge between Flipper Zero and the ESP-RFID-Tool
• I2C OLED display showing real-time captured card info and system status
• NXP NTAG I2C Plus 2K NFC chip for secure offline exfiltration of captured credentials
• energy harvesting for identifying HF readers
• IR blaster capability for targeting IR enabled monitors or cameras

System Diagram

System Diagram

Architecture

The RFIDThief board forms a bridge between the Flipper Zero and the ESP-RFID-Tool. The system consists of three main components:

1. ESP-RFID-Tool: This device connects directly to door access control readers via Wiegand lines. When a legitimate user swipes a card at the reader, the ESP-RFID-Tool captures the raw data, logs it, and makes it available through its HTTP API.

   • You can buy this device on Amazon, AliExpress, Lab401, OzHack or Hacker Warehouse.

2. RFIDThief board: This custom board contains:

   • ESP32C3 microcontroller that connects to the ESP-RFID-Tool via WiFi and to the Flipper Zero via UART
   • I2C OLED display showing real-time card data and connection status
   • NXP NTAG I2C Plus 2K NFC chip for offline exfiltration
   • IR blaster for pwning IR enabled monitors or CCTV cameras

3. Flipper Zero: The main user interface running a custom .mjs application that provides:

   • GUI for sending api commands, viewing logs, viewing cards, capturing cards
   • lightweight mJS console application also available
   • Card storage and management
   • UART connection to the RFIDThief board
   • MOSI connection to the RFIDThief board's IR array

API Commands

The system supports eight API commands that can be sent from the Flipper Zero through the RFIDThief board to the ESP-RFID-Tool:

1. listlog: Lists available log files on the ESP-RFID-Tool
2. viewlog: Returns all saved card data in both binary and hex formats
3. info: Returns ESP-RFID-Tool board file system information
4. fuzzer: Launches a fuzzing attack against a reader
   • can transmit simutaneously on D0 and D1 or alternate between the two
   • can transmit a set number of bits or continous (DOS attack)
5. stoptx: Halts all active transmissions
6. deletelog: Cleans the current log file
7. pincode: Transmits a PIN code to a keypad reader
8. txbin: Replays or transmits a card to a reader in binary format
   • any binary can be transmitted not only card data

How It Works

When a user swipes a badge at a door reader, the following sequence happens automatically:

1. The ESP-RFID-Tool captures the Wiegand data from the reader and logs it
2. The ESP32 on the RFIDThief board polls the ESP-RFID-Tool log file every few seconds via WiFi
3. When new card data is detected, the ESP32:
   • Parses the data (facility code, card number, raw hex)
   • Displays it on the OLED screen
   • Writes it to the embedded NFC chip in NDEF URI format (for offline access via any NFC-capable phone)
   • Sends it to the Flipper Zero via UART

The Flipper Zero then: - Saves the card data in its storage as an .rfid file - Shows the data in its GUI - Can replay the card data

The Flipper Zero can also send a pin, DOS or fuzz the reader at any time.

Exfiltration Capabilities

Each captured card is automatically written to the on-board NFC chip in NDEF URI format. This means: 1. Tap your NFC-capable phone to the board to retrieve the last captured credential 2. No need to power up the Flipper Zero or maintain a connection during exfiltration - no need to use the Flipper apps sharing function for sensitive data 3. Regardless of NFC all credentials are stored to SD card in flipper format upon capture

Practical Applications

This system opens up several possibilities for physical security testing:

1. Red Team Operations: Deploy near target readers to covertly capture legitimate credentials
2. Badge Cloning: Captured credentials can be emulated by the Flipper Zero
3. Reader Testing: Use the fuzzing capability to test reader robustness or for researching vulnerabilities
4. Multi-Format Support: Works with common formats including HID, EM4100, and others
5. PIN Bruteforcing: Send PIN codes to keypad readers

Combining with Tastic RFID Thief for Credential Harvesting

While the board is great at proxying and capturing credentials when an ESP-RFID-Tool is deployed in a mounted reader, its capabilities can be expanded by pairing it with a Tastic RFID Thief for on-the-move cred capture.

The Tastic RFID Thief originally created by bishop fox is a long-range weaponized RFID reader capable of reading cards at distances up to 50cm or more. By combining both tools, you can create a comprehensive credential harvesting system:

1. Extended Range Capture:

   • Use the Tastic RFID Thief's long-range capabilities to silently read badges in crowded areas without arousing suspicion.

2. Bidirectional Attack:

   • Every card captured with the Tastic is automatically transmitted and saved on the RFIDThief board/Flipper Zero combination for immediate replay.

3. Real-time Processing Pipeline:

   • Tastic RFID Thief captures credentials on the move
   • Captured cards are automaticaly transferred to the RFIDThief board via WiFi/ESPKey
   • RFIDThief processes and formats the credentials for the Flipper Zero
   • Immediate storage, replay, emulation or exfiltration

4. Combined Exfil Options:

   • RFIDThief's NFC chip allows for tap-and-grab offline exfiltration
   • Flipper Zero stores formatted .rfid files ready for emulation

Setup

1. Deploy the Tastic RFID Thief in a backpack or laptop bag
2. Plug in the board and listen for captured cards
3. Immediatly emulate captured cards, immediatly emulate and gain access
4. As you gain further access capture more cards on the move

This approach gives both the mobility of the Tastic RFID Thief and the processing/replay capabilities of the ESP-RFID-Tool, which is a decent testing toolkit that works at every stage from credential harvesting, to capture, emulation and replay.

IR Blaster

One useful feature of the board is the integrated IR blaster. When combined with the Flipper Zero's huge IR command library, this creates plenty of opportuinties for physical security testing:

1. Security Monitor Disruption: Many surveillance systems use IR remote control signals. The IR blaster can transmit power-off sequences or menu navigation commands to temporarily disable security monitors during red team operations.

2. CCTV Camera Control: Quite a few commercial CCTV cameras use IR protocols for configuration and control. The RFIDThief can transmit commands to:

   • Disable motion detection
   • Change recording settings
   • Enter configuration menus, potentially exposing vulnerabilities
   • Power-cycle devices

What's in the box

1. RFIDThief board pre-flashed and tested (default SSID and password for ESP-RFID-Tool)
2. USB stick with RFIDThief board firmware + source code, RFID bridge mJS console and GUI application source code for the FZ (no compiling require just drag and drop into your /apps/Scripts/ folder).

What you need

1. An ESP-RFID-Tool

Buy it @:

AliExpress Lab401

Disclaimer

For use in legal, ethical, authorised penetration testing, red teaming or security research only. Do not modify, interfere or tamper with access control systems that you do not own.