• cheet@infosec.pub
    link
    fedilink
    English
    arrow-up
    144
    ·
    10 months ago

    Im a security professional who works to harden medical devices. I use the flipper zero to easily test many different protocols that would be a pain in the ass to do “manually”.

    The flipper makes it easy for me to verify IR, sub GHz, USB, SPI, and many other protocols while being able to walk around the devices I test.

    Without the flipper I could totally do these checks with homebrew tools, a pi and an rtlsdr (unless thats gonna be illegal too?) But it would take me writing new tools and procedures rather than the ease of the flipper.

    Anybody in the know can tell you that the hardware isn’t anything special, and like many others have said, its like making a swiss army knife illegal cause the toothpick can be used to pick a lock.

    This isn’t gonna stop anybody, if pentest tools are showing flaws in your product, maybe we should send flippers to the car manufacturers and tell them to fix their shit. You shouldn’t be allowed to sell a car that can be wirelessly hacked like this, just like how the FDA doesn’t let you sell medical devices that can be hacked like that.

    You don’t just put the cat back in the bag…

    • kameecoding@lemmy.world
      link
      fedilink
      English
      arrow-up
      29
      ·
      10 months ago

      Based on your description it sounds like banning the flipper would be encouraging security throigh obscurity

      • go_go_gadget@lemmy.world
        link
        fedilink
        English
        arrow-up
        49
        ·
        10 months ago

        I remember when they had the same conversations about packet sniffers.

        Turned out the answer was to use encryption and switches.

    • sebinspace@lemmy.world
      link
      fedilink
      English
      arrow-up
      4
      ·
      10 months ago

      My girlfriend has a medical implant for her gastroparresis. How concerned should we be? If that device shuts off, she can’t eat, and there’s only a handful of doctors in the country that can work on it, and the one that sees her is often booked two weeks out

      • cheet@infosec.pub
        link
        fedilink
        English
        arrow-up
        10
        ·
        10 months ago

        The thing is, if there’s a wireless exploit/hack that can cause “patient harm” the FDA+Health Canada would force a recall the sec its publicly known.

        The flipper wouldn’t be the only thing able to exploit it, anybody with a radio and some software would be able to. It just so happens the flipper can also do it cause its a swiss army knife and has a general purpose radio.

        Generally by the time an attack exists on the flipper, its already been mastered on laptops and raspberry pis and stuff, putting it on the flipper is more to make it available to test easily without having to lug out the laptop. Nobody is inventing new exploits for such underpowered hardware as the flipper. People are porting known exploits to it.

        I can’t say how concerned you should be, but this won’t make her any safer than before, equal risk. Just as likely someone with a laptop in a backpack doing that. We don’t make laptops illegal tho.

        What I would be concerned about is the idea that the company that makes the implant would not be able to easily test for issues in the implant with such an “illegal” device. Yes they could use a laptop, but you don’t use an xray machine to find a stud, you use a handheld studfinder cause its cheap and easy.

        Hope that helps explain a bit

        • sebinspace@lemmy.world
          link
          fedilink
          English
          arrow-up
          1
          ·
          10 months ago

          the flipper wouldn’t be the only thing able to exploit it

          No, and I never once thought these capabilities were unique to the Flipper. My concern is how much it lowers the barrier of entry to potentially dangerous behavior. When people say they got one “just to be evil”, it’s deeply concerning. If someone said the same thing about a gun, something else that can be dangerous and needs to be handled responsibly, I’d be notifying someone. It’s not the capabilities themselves, it’s how accessible it makes those capabilities to the otherwise-inept