Ban Flipper Zero? Then Stop Selling, Prox, NXP MIFARE Classic and HID iClass Legacy

Published May 22, 2024 13:02 PM
PUBLIC - This article does not require an IPVM subscription. Feel free to share.

Watch the 2-minute video to learn more:

Flipper Zero (see our tests) has gone viral, and now it's on the verge of being banned in many countries. However, the root problem is corporations such as HID and NXP, who, for over a decade, have knowingly sold cracked and insecure credentials.

One of the world's largest access control manufacturers, Dormakaba, revealed a vulnerability impacting 3 million doors based on using Mifare Classic, credentials that have been known to be cracked for more than 16 years, but NXP keeps selling them anyway.

Since at least 2010, the largest physical access control credential provider, HID, has claimed they were facilitating a "migration" away from them. And, more than five years ago, HID blamed it on the market, hypocritically advocating these cracked products be sold by a "trusted partner" like themselves.

Today, IPVM statistics show that nearly half of all physical access credentials are still cracked / insecure 125 kHz prox ones, with HID most common.

There has been nowhere close to enough "migration" despite the vendor's claims.

Meanwhile, hacking devices like Keysy and 125khz prox cloners have expanded, but now there is Flipper Zero. In the past three years, the self-proclaimed Multi-tool Device for Hackers has drawn immense awareness to these problems. Hundreds of thousands of these devices are now being used across the United States alone, allowing anyone without any real hacking skills to exploit these credentials.

Because of that, public concern has risen, and governments such as Brazil and Canada are restricting or blocking sales. The US may very well be next.

Even an HID Director has publicly warned that "The flipper renders 125 khz Prox based cards and readers not just obsolete but actually dangerous" and that "with all the noise around flipperzero, now is the time to STOP selling/using 125KHZ prox" but HID keeps selling them anyway.

Flipper Zero's CEO defended his product, emphasizing that:

if you actually think something can be hacked by a $100 toy, maybe it’s too old

What's worse is that what's being hacked is not old. Even brand-new sales from HID and others are taking advantage of selling cracked and insecure credentials.

If governments are going to consider banning Flipper Zero seriously, they should start by stopping sales of insecure credentials, which are the underlying problem.

Comments are shown for subscribers only. Login or Join