Cybercriminals have taken MFA bombing to the next level by calling victims of an attack from a spoofed Apple Support number.

Simply put, MFA bombing (also known as “push bombing” or “MFA fatigue”) is a brute force attack on your patience. Cybercriminals use MFA bombing to break into accounts that are protected by multi-factor authentication (MFA).

MFA normally requires a user to enter a six-digit code sent by SMS, or generated by an app, or to respond to a push notification, when they enter a username and password. It provides an enormous increase in security and makes life much harder for criminals.

Because it’s so hard to break, criminals have taken to getting users to defeat their own MFA. They do this by using stolen credentials to try logging in, or by trying to reset a user’s password over and over again. In both cases this bombards the user with push notifications asking them to approve the login, or messages asking them to change their password. By doing this, the criminals hope that users will either tap the wrong option or get so fed up they just do whatever the messages are asking them to do, just to make the bombardment stop.

Now, according to this blog by Bran Krebs, these attacks have evolved. If you can withstand the pressure of the constant notifications, the criminals will call you pretending to come to your rescue.

In one example Krebs writes about, criminals flooded a target’s phone with password reset notifications for their Apple ID. Each notification required the user to choose either “Allow” or “Don’t Allow” before they could go back to using their device.

After withstanding the temptation to click “Allow”, and declining “100-plus” notifications, the victim receved a call from a spoofed number pretending to be Apple Support.

The call was designed to get the victim to trigger a password reset, and then to hand over the one-time password reset code sent to their device. Armed with a reset code, the criminals could change the victim’s password and lock them out of their account.

Luckily, in this situation the victim thought the callers seemed untrustworthy, so he asked them to provide some of his personal information, and they got his name wrong.

Another victim of MFA bombing learned that the notifications kept coming even after he bought a new device and created a new Apple iCloud account. This revealed that the attacks must have been targeted at his telephone number, because it was the only constant factor between the two device configurations.

Yet another target was told by Apple that setting up an Apple Recovery Key for his account would stop the notifications once and for all, although both Krebs and the victim dispute this.

Unfortunately, there doesn’t seem to be a lot you can do once an MFA bombing attack starts other than be patient, and be careful not to click Allow. If you get a call, know that Apple Support will never call you out of the blue, so don’t trust the caller, no matter how convenient their timing.

If you lose control of your Apple ID, go to iforgot.apple.com to start the account recovery process.

**We don’t just report on phone security—we provide it**

Cybersecurity risks should never spread beyond a headline. Keep threats off your mobile devices by downloading Malwarebytes for iOS, and Malwarebytes for Android today.

 MFA bombing taken to the next level 

An easy-to-understand guide on how to back up your iPhone to a Windows computer

They say the only backup you ever regret is the one you didn’t make. iPhone backups can be used to easily move your apps and data to a new phone, to recover things you’ve lost, or to fix things that have failed.

We’ve published posts on how to back up your iPhone to iCloud, and how to backup an iPhone to a Mac. Another method is to backup using the iTunes app on a Windows system.

Choose whichever backup method works best for you, and will continue to work.

First, connect your iPhone to the Windows system with a cable.

You are likely to see a prompt on your iPhone asking whether it can trust this computer.

To proceed, tap **Trust** and entering your passcode.

Then open the iTunes app on your Windows device.

In iTunes click the **Device** symbol in the upper left corner (next to the Music drop down box).

_Note: It may take a while before the device icon appears_

In the **Settings** of the iTunes app select **Summary**.

You’ll see some device data about your iPhone, and below that a **Backups** menu.

Here you can select either **iCloud** or **This Computer**.

To create a local backup select **This Computer** and click on **Back Up Now** to create a new backup of your iPhone on your Windows System.

To encrypt your backups, select **Encrypt local backup**, type a password, then click **Set Password**.

**We don’t just report on phone security—we provide it**

Cybersecurity risks should never spread beyond a headline. Keep threats off your mobile devices by downloading Malwarebytes for iOS, and Malwarebytes for Android today.

 How to back up your iPhone to a Windows computer 

An easy-to-understand guide on how to backup your iPhone or iPad to your Mac.

They say the only backup you ever regret is the one you didn’t make. iPhone backups can be used to easily move your apps and data to a new phone, to recover things you’ve lost, or to fix things that have failed.

One of the most cost effective ways to backup your iPhone is to save backups to your Mac. Backups are made automatically whenever you connect your iPhone to your Mac with a lead. Be aware though that backups can take up a lot of space on your Mac, and that if your Mac is lost, stolen, or inoperable, then you won’t be able to access your iPhone backups. If you need daily backups or backups that can always be accessed from anywhere, you may prefer to backup your iPhone to iCloud.

This guide tells you how to enable backups to your Mac, and how to check that everything is working as you expect.

First, connect your iPhone or iPad to a Mac using a cable.

Open the **Finder** app and select your iPhone from the list of **Locations**.

Click **Genera**l.

Under **Backups**, choose **Back up all of the data on your iPhone to this Mac**.

To encrypt your backup data and protect it with a password, select **Encrypt local backup**. You will be prompted for a password.

Click **Back Up Now.**

**We don’t just report on phone security—we provide it**

Cybersecurity risks should never spread beyond a headline. Keep threats off your mobile devices by downloading Malwarebytes for iOS, and Malwarebytes for Android today.

 How to back up your iPhone to a Mac 

An easy-to-understand guide on how to backup your iPhone or iPad to iCloud automatically.

They say the only backup you ever regret is the one you didn’t make. iPhone backups can be used to easily move your apps and data to a new phone, to recover things you’ve lost, or to fix things that have failed.

The most convenient way to backup your iPhone is to have it backup to iCloud. Backups are made every day, automatically, provided your phone is connected to power and locked. Be aware though that backups take take up a lot of your iCloud storage, and your phones’ data plan if you choose to backup when you aren’t connected to Wi-Fi. If those are likely to be problems for you, you might prefer to backup your iPhone to your Mac.

This guide tells you how to enable backups to iCloud, and how to check that everything is working as you expect.

Open the **Settings** app.

Then tap where you see your name and **Apple ID, iCloud+, Media & Purchases**.

Next, tap **iCloud**.

Scroll down and tap **iCloud Backup**.

Toggle **Back Up This iPhone** to on.

This may reveal a **Back Up Over Cellular Data** or **Back Up Over Mobile Data** toggle. This creates backups when you aren’t connected to Wi-Fi. Because backups can use a lot of data, toggling this on may cause you to exceed your data plan.

Once you have made a backup, you can access it from this screen under **ALL DEVICE BACKUPS**.

You can return to the previous screen by tapping the **< iCloud** link at the top. This screen shows you how much storage space your backups are using. To see a little more detail, tap **Manage Account Storage**.

Scroll down the list of apps until you see **Backups** to see how much storage your backups are using.

**We don’t just report on phone security—we provide it**

Cybersecurity risks should never spread beyond a headline. Keep threats off your mobile devices by downloading Malwarebytes for iOS, and Malwarebytes for Android today.

 How to back up your iPhone to iCloud 

Facebook is accused of using potentially criminal methods to spy on Snapchat users to gain a commercial advantage over its competition.

Social media giant Facebook snooped on Snapchat users’ network traffic, engaged in anticompetitive behavior and exploited user data through deceptive practices. That’s according to a court document filed March 23, 2024.

The document mentions Facebook’s so-called In-App Action Panel (IAAP) program, which existed between June 2016 and approximately May 2019. The IAAP program, used an adversary-in-the-middle method called to intercept and decrypt Snapchat’s—and later YouTube’s and Amazon’s—SSL-protected analytics traffic to provide information for Facebook’s competitive decision making. Secure Sockets Layer (SSL) is a standard security technology for establishing an encrypted link between a server and a client.

On June 9, 2016, Facebook CEO Mark Zuckerberg complained about the lack of analytics about competitor Snapchat.

> “Whenever someone asks a question about Snapchat, the answer is usually that because their traffic is encrypted we have no analytics about them. . . .
> 
> Given how quickly they’re growing, it seems important to figure out a new way to get reliable analytics about them. Perhaps we need to do panels or write custom software. You should figure out how to do this.”

So, as part of the IAAP program, the company started Project Ghostbusters by using Onavo. Onavo was a VPN-like research tool that Facebook acquired in 2013. In 2019, Facebook shut down Onavo after a TechCrunch investigation revealed that Facebook had been secretly paying teenagers to use Onavo so the company could access all of their web activity.

The Project Ghostbusters technique relied on technology known as a server-side SSL bump performed on Facebook’s Onavo servers. SSL bumping, also known as SSL interception, involves intercepting and decrypting SSL/TLS traffic, inspecting it for malicious content or policy violations, and then re-encrypting and forwarding it to the intended destination.

To gain access to the data about their competitor, Facebook incentivized users to install “kits” on both Android and iOS devices that impersonated official servers and decrypted traffic that Facebook had no right to access.

These kits allowed Facebook to intercept traffic for specific sub-domains, allowing them to read what would otherwise be encrypted traffic and to measure in-app usage of their competitor’s apps. The users were clueless about what the kits did exactly, but it allowed the operators to view and analyze the traffic before it got encrypted.

According to the court documents, advertisers suing Meta claim that Facebook later expanded the program to Amazon and YouTube. This practice is likely in violation of wiretapping laws and “potentially criminal.” Facebook’s secret program likely violated the Wiretap Act, because it prohibits intentionally intercepting electronic communications with no applicable exception and the use of such intercepted communications.

We’ll keep you updated on how this develops.

**We don’t just report on phone security—we provide it**

Cybersecurity risks should never spread beyond a headline. Keep threats off your mobile devices by downloading Malwarebytes for iOS, and Malwarebytes for Android today.

 Facebook spied on Snapchat users to get analytics about the competition 

By Waqas
Google’s Threat Analysis Group (TAG) reports a concerning rise in zero-day exploits and increased activity from state-backed hackers.…
This is a post from HackRead.com Read the original post: Google TAG Reports Zero-Day Surge and Rise of State Hacker Threats

Google’s Threat Analysis Group (TAG) reports a concerning rise in zero-day exploits and increased activity from state-backed hackers. This highlights the growing cybersecurity threats to businesses and individuals.

In an overview of cybersecurity threats, Google’s Threat Analysis Group (TAG) and **Google-owned Mandiant** disclosed 97 zero-day vulnerabilities exploited in the wild last year. That’s a score well above and significantly more than 50% of the 62 seen the year before but still comes in below the record 106 exploits in 2021.

It also indicated that among the 30 reported critical vulnerabilities, 29 were made by TAG and Mandiant, showing how much of a risk there is from threats that are not yet fixed. As per Google’s **blog post**, in its report, Google’s TAG researchers divided vulnerabilities into two categories: one targeting end user-based platforms and products, including iOS and Android devices and browsers, while the other targeted those technologies focused on enterprise-level solutions, such as security software.

One of the key trends pointed out in the report is the continued determination of the **threat from state-sponsored actors**, more so from the People’s Republic of China (PRC). A notable portion of the exploits were attributed to 12 zero-day vulnerabilities linked to the PRC by cyber-espionage groups, compared with seven the previous year.

The **report** emphasizes the changing tactics by threat actors, with an increase in targeting levels for technologies specific to the enterprise. According to Google, the trend of cyberattacks against corporate infrastructure continues to rise after the company recorded a 64% surge in the exploitation of technologies specific to the enterprise over the past year.

Most interestingly, these results also point to a shift in focus toward the exploitation of vulnerabilities in third-party components or libraries, which enlarge the overall attack surface for threat actors.

Among the positives, the report points out: that there are big investments from major platform vendors like **Apple**, **Google**, and **Microsoft** to make the security apparatus even better. The investment has also paid off, with few vulnerabilities observed in first-party code and mitigations improving against the worst attacks.

Finally, the report provides practical recommendations for how both individuals and businesses can improve their security situation. Other key recommendations brought out in the report are the adoption of transparency with timely disclosure, prioritizing threat mitigation strategies, and the solid building of security foundations.

> _“Evolving cyber threats will be responded to through enhanced collaboration and vigilance to protect the digital ecosystem. Google works on ongoing research with its expertise in the ever-growing need for collective resilience to threats.”_
> 
> Google

There’s much more in the **report** (PDF) the company published earlier today.

****Don’t Forget Ethical Hackers****

While Google’s TAG report focuses on the efforts of major technology companies in identifying security vulnerabilities, it’s important to acknowledge the vital role played by ethical hackers, also known as white hat hackers. These individuals contribute greatly to the cybersecurity community by legally working with organizations to discover flaws in their systems.

The impact of ethical hackers is further highlighted by a February 2024 Surfshark **report** analyzing HackerOne bug bounty program data. This report reveals that ethical hackers were able to identify a large number of vulnerabilities (835) across various websites (105). These valuable contributions not only helped to secure these platforms but also generated significant earnings (€417,000) for the hackers through **bug bounty programs**.

1.  Ivanti VPN Zero-Day Flaws Fuel Widespread Cyber Attacks
2.  Microsoft Office Most Exploited Software in Malware Attacks
3.  AI Flagged as “Chronic Risk” in UK Govt’s Risk Register Report
4.  Flashpoint Uncovers 100,000+ Hidden Flaws, Including 0-Days
5.  NIST Releases Cybersecurity Framework 2.0: Guide for All Orgs

Google TAG Reports Zero-Day Surge and Rise of State Hacker Threats

A robocaller that spoofed a local phone number and presented his targets with inflammatory and disturbing content has received a hefty fine.

A federal court in Montana has fined a man $9.9 million after he was found responsible for causing thousands of unlawful and malicious spoofed robocalls.

Sometimes there is good news. Well, for almost everybody except for the robocaller who was found guilty of unlawful robocalls to people in states including Florida, Georgia, Idaho, Iowa and Virginia in 2018. The court also imposed an injunction prohibiting any future violations of the Truth in Caller ID Act and Telephone Consumer Protection Act.

Scott Rhodes spoofed his telephone number, so it appeared to his targets that he was calling from a local phone number. If they picked up, they were presented with recorded messages. Those messages included highly inflammatory and disturbing content, often directed at certain communities, that intended to offend or harm the recipients.

Those messages typically addressed tragic and controversial events that took place in the region. Many consumers who received the calls found the calls so disturbing, they submitted complaints to FCC and other law enforcement regarding unwanted and harassing robocalls.

The FCC traced the unlawful spoofed robocalls to Scott Rhodes, a resident of Idaho and Montana, and in January 2021, the FCC imposed a $9,918,000 forfeiture penalty against Rhodes. In September 2021, the Justice Department sued Rhodes in the District of Montana to recover that penalty and obtain an injunction.

In October 2023, the United States moved for summary judgment, and the court subsequently entered an injunction and the full $9,918,000 forfeiture penalty against Rhodes, after concluding based on a de novo review of the evidence that Rhodes committed the violations found by FCC. When a court hears a case as “de novo,” it is deciding the issues without reference to any legal conclusion or assumption made by the previous court to hear the case.

Principal Deputy Assistant Attorney General Brian Boynton, head of the Justice Department’s Civil Division commented:

> “The department is committed to protecting consumers from deceptive robocalls. We are very pleased by the court’s judgment, and we will continue working with the FCC and other agency partners to vigorously enforce the telemarketing laws that prohibit these practices.”

Earlier this year we reported that the FCC efforts seem to be paying off, by showing an encouraging decline in robocalls.

Last year, another robocaller made headlines after the FCC issued a $300 million forfeiture to a persistent offender and shut down their operation.

**What to do if you answer a robocall**

When you receive a call from someone outside your contact list only to hear a recorded message playing back at you, that’s a robocall.

1.  Hang up as soon as you realize that it is an automated robocall.
2.  Do not engage with the call at all.
3.  Don’t follow any instructions.
4.  Avoid giving away any personal information.
5.  Report the robocall.
    *   If you’ve lost money to a phone scam or have information about the company or scammer who called you, tell the FTC at ReportFraud.ftc.gov.
    *   If you didn’t lose money and just want to report a call, use the streamlined reporting form at DoNotCall.gov
    *   If you believe you received an illegal call or text, report it to the Federal Communications Commission (FCC).

It is important to not engage in any conversation or respond to any prompts to minimize the risk of fraud. Even the smallest snippets of your voice being recorded, can be used in scams against you or your loved ones.

**We don’t just report on phone security—we provide it**

Cybersecurity risks should never spread beyond a headline. Keep threats off your mobile devices by downloading Malwarebytes for iOS, and Malwarebytes for Android today.

 Disturbing robocaller fined $9.9 million 

Plus: The Biden administration warns of nationwide attacks on US water systems, a new Russian wiper malware emerges, and China-linked hackers wage a global attack spree.

The next time you stay in a hotel, you may want to use the door’s deadbolt. A group of security researchers this week revealed a technique that uses a series of security vulnerabilities that impact 3 million hotel room locks worldwide. While the company is working to fix the issue, many of the locks remain vulnerable to the unique intrusion technique.

Apple is having a tough week. In addition to security researchers revealing a major, virtually unpatchable vulnerability in its hardware (more on that below), the United States Department of Justice and 16 attorneys general filed an antitrust lawsuit against the tech giant, alleging that its practices related to its iPhone business are illegally anticompetitive. Part of the lawsuit highlights what it calls Apple’s “elastic” embrace of privacy and security decisions—particularly iMessage’s end-to-end encryption, which Apple has refused to make available to Android users.

Speaking of privacy, a recent change to cookie pop-up notifications reveals the number of companies each website shares your data with. A WIRED analysis of the top 10,000 most popular websites found that some sites are sharing data with more than 1,500 third parties. Meanwhile, employer review site Glassdoor, which has long allowed people to comment about companies anonymously, has begun encouraging people to use their real names.

And that’s not all. Each week, we round up the security and privacy news we don’t cover in depth ourselves. Click the headlines to read the full stories. And stay safe out there.

Apple’s M-series of chips contain a flaw that could allow an attacker to trick the processor into revealing secret end-to-end encryption keys on Macs, according to new research. An exploit developed by a team of researchers, dubbed GoFetch, takes advantage of the M-series chips’ so-called data memory-dependent prefetcher, or DMP. Data stored in a computer’s memory have addresses, and DMP’s optimize the computer’s operations by predicting the address of data that is likely to be accessed next. The DMP then puts “pointers” that are used to locate data addresses in the machine’s memory cache. These caches can be accessed by an attacker in what’s known as a side-channel attack. A flaw in the DMP makes it possible to trick the DMP into adding data to the cache, potentially exposing encryption keys.

The flaw, which is present in Apple’s M1, M2, and M3 chips, is essentially unpatchable because it is present in the silicon itself. There are mitigation techniques that cryptographic developers can create to reduce the efficacy of the exploit, but as Kim Zetter at Zero Day writes, “the bottom line for users is that there is nothing you can do to address this.”

**US Warns of Widespread Cyberattacks Against Water Systems**

In a letter sent to governors across the US this week, officials at the Environmental Protection Agency and the White House warned that hackers from Iran and China could attack “water and wastewater systems throughout the United States.” The letter, sent by EPA administrator Michael Regan and White House national security adviser Jake Sullivan, says hackers linked to Iran’s Islamic Revolutionary Guard and Chinese state-backed hacker group known as Volt Typhoon have already attacked drinking water systems and other critical infrastructure. Future attacks, the letter says, “have the potential to disrupt the critical lifeline of clean and safe drinking water, as well as impose significant costs on affected communities.”

**A New Russian Wiper Malware Threatens Communication Networks**

There’s a new version of a wiper malware that Russian hackers appear to have used in attacks against several Ukrainian internet and mobile service providers. Dubbed AcidPour by researchers at security firm SentinelOne, the malware is likely an updated version of the AcidRain malware that crippled the Viasat satellite system in February 2022, heavily impacting Ukraine’s military communications. According to SentinelOne’s analysis of AcidPour, the malware has “expanded capabilities” that could allow it to “better disable embedded devices including networking, IoT, large storage (RAIDs), and possibly ICS devices running Linux x86 distributions.” The researchers tell CyberScoop that AcidPour may be used to carry out more widespread attacks.

**China’s Earth Krahang Hackers Target Victims Around the World**

Volt Typhoon isn’t the only China-linked hacker group wreaking widespread havoc. Researchers at security firm TrendMicro revealed a hacking campaign by a group known as Earth Krahang that’s targeted 116 organizations across 48 countries. Of those, Earth Krahang has managed to breach 70 organizations, including 48 government entities. According to TrendMicro, the hackers gain access through vulnerable internet-facing servers or through spear-phishing attacks. They then use access to the targeted systems to engage in espionage and commandeer the victims’ infrastructure to carry out further attacks. Trend Micro, which has been monitoring Earth Krahang since early 2022, also says it found “potential links” between the group and I-Soon, a Chinese hack-for-hire firm that was recently exposed by a mysterious leak of internal documents.

Apple Chip Flaw Leaks Secret Encryption Keys

### Summary
While examining the "App Link assetlinks.json file could not be found" vulnerability detected by MobSF, we, as the Trendyol Application Security team, noticed that a GET request was sent to the "/.well-known/assetlinks.json" endpoint for all hosts written with "android:host". In the AndroidManifest.xml file.

Since MobSF does not perform any input validation when extracting the hostnames in "android:host", requests can also be sent to local hostnames. This may cause SSRF vulnerability.

### Details
Example <intent-filter structure in AndroidManifest.xml:

```
<intent-filter android:autoVerify="true">
<action android:name="android.intent.action.VIEW" />
<category android:name="android.intent.category.DEFAULT" />
<category android:name="android.intent.category.BROWSABLE" />
<data android:host="192.168.1.102/user/delete/1#" android:scheme="http" />
</intent-filter>
```


We defined it as android:host="192.168.1.102/user/delete/1#". Here, the "#" character at the end of the host prevents requests from being sent to the "/.well-known/assetlinks.json" endpoint and ensures that requests are sent to the endpoint before it.


<img width="617" alt="image" src="https://github.com/MobSF/Mobile-Security-Framework-MobSF/assets/150332295/c570cb00-e947-4ad7-af80-26d46c0ad3f7">


### PoC
https://drive.google.com/file/d/1nbKMd2sKosbJef5Mh4DxjcHcQ8Hw0BNR/view?usp=share_link


### Impact
The attacker can cause the server to make a connection to internal-only services within the organization's infrastructure.


**Summary**

While examining the "App Link assetlinks.json file could not be found" vulnerability detected by MobSF, we, as the Trendyol Application Security team, noticed that a GET request was sent to the "/.well-known/assetlinks.json" endpoint for all hosts written with "android:host". In the AndroidManifest.xml file.

Since MobSF does not perform any input validation when extracting the hostnames in "android:host", requests can also be sent to local hostnames. This may cause SSRF vulnerability.

**Details**

Example <intent-filter structure in AndroidManifest.xml:

    <intent-filter android:autoVerify="true">
    <action android:name="android.intent.action.VIEW" />
    <category android:name="android.intent.category.DEFAULT" />
    <category android:name="android.intent.category.BROWSABLE" />
    <data android:host="192.168.1.102/user/delete/1#" android:scheme="http" />
    </intent-filter>
    

We defined it as android:host="192.168.1.102/user/delete/1#". Here, the "#" character at the end of the host prevents requests from being sent to the "/.well-known/assetlinks.json" endpoint and ensures that requests are sent to the endpoint before it.

**PoC**

https://drive.google.com/file/d/1nbKMd2sKosbJef5Mh4DxjcHcQ8Hw0BNR/view?usp=share\_link

**Impact**

The attacker can cause the server to make a connection to internal-only services within the organization's infrastructure.

**References**

*   GHSA-wfgj-wrgh-h3r3
*   MobSF/mobsfscan@61fd40b
*   MobSF/mobsfscan@cd01b71

GHSA-wfgj-wrgh-h3r3: SSRF Vulnerability on assetlinks_check(act_name, well_knowns)

Since the main reason for the ban was to prevent car thefts that didn't happen, we're happy to see the change of heart.

In February 2024 the Canadian government announced plans to ban the sale of the Flipper Zero, mainly because of its reported use to steal cars.

The Flipper Zero is a portable device that can be used in penetration testing with a focus on wireless devices and access control systems.

If that doesn’t help you understand what it can do, a few examples from the news might help.

Flipper Zero made headlines in October because versions running third-party firmware could be used to crash iPhones running iOS 17 (since resolved in iOS 17.2).

Later, reporters found information that car thieves could use the Flipper Zero to intercept, record, and sometimes mimic the signal of a vehicle’s key fob, and if the car was in a garage, the signal of the garage door opener too.

Importantly, this only works on older car models that use fixed numeric codes for their fobs. Not on cars that use rolling codes, which change the numeric code transmitted from a key fob with each use. As a result, car thieves continued to ignore the Flipper Zero in favour of key fob signal boosters and keyless repeaters which are a lot more powerful.

Oddly enough, the car thieving option was mentioned as the main reason for putting a ban on the Flipper Zero in Canada. Although Canada’s Minister of Innovation, Science, and Industry, François-Philippe Champagne said:

> “We are banning the importation, sale and use of consumer hacking devices, like flippers, used to commit these crimes.”

Very recently, a group of security researchers presented a series of vulnerabilities in the widely used Dormakaba Saflok electronic RFID locks. This vulnerability impacts over 3 million doors on over 13,000 properties in 131 countries, mostly in hotels.

Reportedly, an attacker only needs to read one keycard from the property to perform the attack against any of its doors. This keycard can be from their own room, or even an expired keycard taken from the express checkout collection box.

Any device capable of reading and writing or emulating MIFARE Classic cards is suitable for this attack. MIFARE is a contactless card technology introduced in 1994. It’s primarly used for transport passes, but its technological capabilities quickly made it one of the most popular smart cards for storing data and providing access control.

One device that can be used for this attack is the Flipper Zero, but an attacker could just as easily use a Proxmark 3 or any NFC capable Android phone.

After an appeal by the security community, Canada now looks like it’s going to move forward with measures to restrict the use of devices like Flipper Zero to legitimate actors only. The specifics will be revealed after deliberation with Canadian companies, online retailers, and the automotive industry.

**Conclusions**

None of the technology housed within the Flipper Zero is very new, all it does is combine multiple functions into one handheld device. We have never seen any officially confirmed cases of theft using a Flipper Zero. If you want to ban something that helps against car theft, look at keyless repeaters, on the market for a host of car brands and which have no other purpose.

For all the vulnerabilities we described, updates came out that fixed the issues and made the world a safer place, although the patches haven’t been applied everywhere—it’s a lot of work to update all the locks in a hotel, and it’s not feasible to update the fob systems of older cars. Nevertheless, the research by pen testers has led to security improvements, so why would we want to take away their tools?

If we have peaked your interest to buy a Flipper Zero, we urge you to be careful. Due to limited availability there are scammers active that will take your money and send nothing in return.

You can learn more about Flipper Zero by listening to our Lock and Code podcast below. In December 2023, host David Ruiz had a long conversation in with Cooper Quintin, senior public interest technologist with the Electronic Frontier Foundation—and Flipper Zero owner—about what the Flipper Zero can do, what it can’t do, and whether governments should get involved in the regulation of the device.

Tag

#android