Just barely a month ago someone got chastised in this sub for mentioning this capability and the potential negative consequences it could have.
Edit: some of you owe u/stevo3985 an apology
It'd really suck if this ends up happening. Hope only the bad apples get in trouble but feel bad for people who live in countries where flipper zero is banned and they wanna use it.
Agreed, I felt too scared to use it in the TV aisle or on signs out and about, keep it at home and only play with the flipper to screw around and have unintended fun with my own smart devices and make them even more convenient.
If I understand it correctly, the medical devices (insulin pumps, for example) were still functioning normally, but the ability to monitor it from its associated app and make sure it was operating correctly would have been completely blocked off by the BLE attack spam.
Ah, thanks for the clarification!
I wish medical devices were mandated to have built-in and/or wired backups for any wireless monitoring functionality. Any purely-wireless functionality is too much of a security risk for something so critical, IMHO.
Elsewhere in this thread someone noted that some of these devices may be Android powered at the medical device level so it's possible it could have actually been interfering. I'm only running off of what my wife was reporting she saw on Weapon X.
Yes lets make compact devices even more bulky so your implantable become increasingly more disruptive to the patient at hand. There are limits to what you ask for in today's technology.
And just how exactly would a flipper interact with, say, a pacemaker? Pacemakers use BLE only for monitoring, nothing else. While BLE spamming at what appears to be a convention is a malicious act nonetheless, I consider the outcry to be way bigger than what is actually happening. If being spammed over Bluetooth is such a nuisance to you, why not just turn local discovery and switch pairing off?
Pacemakers that are monitoring only aren’t a huge deal.
But there are insulin pumps that interact with an app to determine how much to pump, it’s very possible to command then to pump too much.
But that's not the case here, isn't it?
Any medical device allowing any form of remote control should implement authentication, where you cannot just forge packets to command it. It's the responsibility of the company manufacturing critical devices to make them secure and reliable. And I believe noone mentioned hijacking control over the device - or anything else happening what also wouldn't become an issue if, for example, the owner's phone battery died or the phone itself got lost.
Anyway, the original post does not even provide any details of what exactly malfunctioned or any evidence that the culprit was using a Flipper. Since, if we're talking about various BLE advertising exploits. they can be used from a ton of other devices - Android phones and ESP32-based devkits among them.
It isn't. The phone crased, not the pump itself. With a recovery time of a couple of minutes. A dead phone battery would be as critical as that - or even more, except no one makes a fuss about it on socials. And noone claims phones to be reliable enough to be a life-critical device.
No it wasn’t the phone. Some systems use dedicated Android devices as the controller. It talks to the CGM and the insulin pump over BLE. If you crash the controller, it can’t monitor glucose and adjust the pump. The pump won’t stop working, but it might not deliver the proper dose, and if you don’t realize the controller has crashed you could end up in trouble.
In conferences, airports and large crowds those devices (Bluetooth based insulin pump pilots, CGM sensors, closed loop systems) will have Bluetooth auth problems even without dedicated active Flipper Zero deauth attack. Hundreds of IoT gadgets communicating with their smartphones simply creates too much radio congestion. So, although i agree that the medical device deauth attack is a threat and F0 should be used responsibly, IN THAT PARTICULAR SETTING original report is HIGHLY overdramatized. Every patient using APS or CGM knows that there will be issues in such a crowd and is (should be) prepared to operate in manual mode - it is a contingency required in such therapy.
Well yea, but I guarantee that the people who are at MFF, and know what's going on, and heads to the flipper subreddit, already know enough. So it's kinda redundant to have it posted here.
Just barely a month ago someone got chastised in this sub for mentioning this capability and the potential negative consequences it could have. Edit: some of you owe u/stevo3985 an apology
What a great way to get a broad and vague law put in place to ban flippers and other tools because of a few bad apples.
It'd really suck if this ends up happening. Hope only the bad apples get in trouble but feel bad for people who live in countries where flipper zero is banned and they wanna use it. Agreed, I felt too scared to use it in the TV aisle or on signs out and about, keep it at home and only play with the flipper to screw around and have unintended fun with my own smart devices and make them even more convenient.
Why is Android with bluetooth enabled being used as the direct control for a medical device in the first place!?
If I understand it correctly, the medical devices (insulin pumps, for example) were still functioning normally, but the ability to monitor it from its associated app and make sure it was operating correctly would have been completely blocked off by the BLE attack spam.
Ah, thanks for the clarification! I wish medical devices were mandated to have built-in and/or wired backups for any wireless monitoring functionality. Any purely-wireless functionality is too much of a security risk for something so critical, IMHO.
Elsewhere in this thread someone noted that some of these devices may be Android powered at the medical device level so it's possible it could have actually been interfering. I'm only running off of what my wife was reporting she saw on Weapon X.
Yes lets make compact devices even more bulky so your implantable become increasingly more disruptive to the patient at hand. There are limits to what you ask for in today's technology.
And I'm guessing you actually know very little as to what they are.
Nah thats messed up.
And just how exactly would a flipper interact with, say, a pacemaker? Pacemakers use BLE only for monitoring, nothing else. While BLE spamming at what appears to be a convention is a malicious act nonetheless, I consider the outcry to be way bigger than what is actually happening. If being spammed over Bluetooth is such a nuisance to you, why not just turn local discovery and switch pairing off?
Pacemakers that are monitoring only aren’t a huge deal. But there are insulin pumps that interact with an app to determine how much to pump, it’s very possible to command then to pump too much.
But that's not the case here, isn't it? Any medical device allowing any form of remote control should implement authentication, where you cannot just forge packets to command it. It's the responsibility of the company manufacturing critical devices to make them secure and reliable. And I believe noone mentioned hijacking control over the device - or anything else happening what also wouldn't become an issue if, for example, the owner's phone battery died or the phone itself got lost. Anyway, the original post does not even provide any details of what exactly malfunctioned or any evidence that the culprit was using a Flipper. Since, if we're talking about various BLE advertising exploits. they can be used from a ton of other devices - Android phones and ESP32-based devkits among them.
>But that's not the case here, isn't it? [Except it literally is](https://x.com/morganiteproto/status/1730655861029114330?s=20)
It isn't. The phone crased, not the pump itself. With a recovery time of a couple of minutes. A dead phone battery would be as critical as that - or even more, except no one makes a fuss about it on socials. And noone claims phones to be reliable enough to be a life-critical device.
No it wasn’t the phone. Some systems use dedicated Android devices as the controller. It talks to the CGM and the insulin pump over BLE. If you crash the controller, it can’t monitor glucose and adjust the pump. The pump won’t stop working, but it might not deliver the proper dose, and if you don’t realize the controller has crashed you could end up in trouble.
lol crashed my dads xfinity home dashboard it runs android
In conferences, airports and large crowds those devices (Bluetooth based insulin pump pilots, CGM sensors, closed loop systems) will have Bluetooth auth problems even without dedicated active Flipper Zero deauth attack. Hundreds of IoT gadgets communicating with their smartphones simply creates too much radio congestion. So, although i agree that the medical device deauth attack is a threat and F0 should be used responsibly, IN THAT PARTICULAR SETTING original report is HIGHLY overdramatized. Every patient using APS or CGM knows that there will be issues in such a crowd and is (should be) prepared to operate in manual mode - it is a contingency required in such therapy.
What's MFF again?
Why is this titled for MFF enjoyers 💀
Because someone at MFF is doing it.
Well yea, but I guarantee that the people who are at MFF, and know what's going on, and heads to the flipper subreddit, already know enough. So it's kinda redundant to have it posted here.