The amateur hits one vector. The professional chains them all and walks out before the alarm even thinks about ringing.
Let me tell you something that nobody in the “cybersecurity industry” wants to hear. Most of these people are playing checkers while the real players are three moves ahead on a board they don’t even know exists. They write their little blog posts about “how to clone a garage door” and they think they’ve hacked something. Cute. Really cute. Like watching a toddler try to pick a lock with a butter knife.
I’ve been in this game for over thirty years. I’ve watched firewalls come and go like seasonal fashion. I’ve seen “unhackable” systems get carved open on a Tuesday afternoon with coffee in one hand and a $50 radio in the other. And the one thing I’ve learned that separates the script kiddies from the ones who actually run the show is this: no single exploit ever wins the war. It’s the chain that breaks the castle.
RFID. Sub-GHz. Infrared. Three protocols. Three completely different attack surfaces. And when you chain them together, you don’t just open a door. You own the building.
The Philosophy of the Chain
Here’s what the corporate security world doesn’t understand. They build systems in silos. The access control team doesn’t talk to the alarm team. The alarm team doesn’t talk to the HVAC vendor. Everyone has their little fiefdom, their little budget, their little “that’s not my department” excuse. And that fragmentation? That’s not a bug in their system. That’s the bug in their thinking.
When I approach a target, I don’t think in terms of “what’s the weakest link.” I think in terms of “what’s the path of least resistance that connects the most systems.” And that path almost always runs through at least two, sometimes three, completely different protocol layers.
RFID gets you past the front door. Sub-GHz gets you into the network. Infrared gets you into the devices they forgot even existed.
That’s not a theoretical framework. That’s a Tuesday.
RFID: The Key They Hand You on a Silver Platter
Let’s start with the one everyone knows and nobody respects.
RFID access cards. The backbone of every office building, every gym, every co-working space that thinks a fob with a blinking LED makes them secure. Here’s the dirty little secret: most of these systems are running on protocols that were designed in an era when “security through obscurity” was considered a legitimate strategy.
We’re talking 125 kHz low frequency. We’re talking 13.56 MHz high frequency. We’re talking the HID Prox, the EM4100, the MIFARE Classic (yes, still. In 2025. Unbelievable but true). These protocols have been broken so many times that the exploits are practically folklore at this point.
But here’s where it gets interesting. Most people stop at “I cloned the badge.” And that’s fine if you just want to get into the gym after hours. But if you’re playing the long game, cloning the badge is just step one. Because that badge doesn’t just open a door. It logs an event. It talks to a controller. And that controller is almost always connected to something else.
I grab the badge with a Flipper Zero in under 10 seconds. I don’t even need to be close for long. The read range on most low frequency systems is generous enough that I can walk past someone in a hallway and have their credential in my pocket before they finish their sentence about the weather.
But I’m not done. Not even close.
Sub-GHz: The Silent Highway
This is where the magic happens. This is where you go from “guy who cloned a badge” to “person who just compromised an entire facility” without anyone noticing.
Sub-GHz radio. The frequency range that controls everything from garage doors to car key fobs to wireless weather stations to industrial control systems. It’s the wild west of wireless communication. No encryption on most of it. No authentication. Just raw RF signals flying through the air like they’re shouting their secrets to anyone with a receiver.
Here’s the chain I run most often. I clone the RFID badge. I get into the building. Now I’m inside, and I pull out the Flipper Zero again, but this time I’m on Sub-GHz. I’m scanning for the frequency that the building’s access control system uses to talk to its alarm panel. And you know what? I find it almost every single time. Because the installer was lazy. Because the integrator cut corners. Because nobody ever thought someone would be inside the building listening.
Once I have that frequency, I capture the rolling code or the fixed code that the alarm system uses. And then I replay it. The alarm doesn’t go off. The security company doesn’t get a call. But I’ve now got the ability to arm and disarm the system at will.
And this is the part that makes security people lose sleep. The alarm system, the access control, the HVAC, the lighting controls… they’re all talking to each other over Sub-GHz in most commercial installations. It’s not some exotic setup. It’s standard. It’s boring. It’s everywhere.
I didn’t hack three different systems. I hacked one frequency that connects all three.
Infrared: The Forgotten Vector
Now let’s talk about the one that gets completely ignored. Infrared.
IR is the protocol that controls your TV. Your air conditioner. Your projector. The little sensor on the wall that tells the lights to turn on when you walk into a room. It’s everywhere and nobody thinks about it because it feels “too simple” to be a security risk.
That’s exactly why it’s so dangerous.
Here’s a real scenario. I’m in a conference room. There’s a projector controlled by IR. I pull out the Flipper Zero, I capture the IR signal from the remote that’s sitting on the table (I don’t even need to know whose remote it is, I just need it to be pointed at the projector, which it always is), and now I can control the projector. But more importantly, I can also capture the IR signals from the room’s climate control, the blinds, the lighting system.
And here’s where the chain completes itself. That room’s climate control system? It’s on the same network as the building management system. Which is connected to the same Sub-GHz backbone as the alarm. Which is triggered by the same RFID event I cloned an hour ago.
I didn’t break in. I walked in. I cloned a badge. I listened to the radio. I copied a remote. And now I control the temperature, the lights, the projector, the alarm, and the door locks. All from a device that fits in my palm and costs less than a nice dinner.
Why Nobody Talks About Chaining
The reason this stuff doesn’t get talked about in the mainstream is simple: it doesn’t fit the narrative. The narrative is “buy our product, install our firewall, sleep at night.” The narrative is not “here’s how a single person with $200 worth of gear can own your entire physical security infrastructure in under an hour.”
The bureaucrats don’t want you to know this because it exposes how cheap and fragmented their “security” actually is. The vendors don’t want you to know this because it makes their 50,000 access control systems look like toys.And the certified professionals don′t want you to know this because it devalues their 300/hour consulting fees.
But I’m not interested in their feelings. I’m interested in the truth. And the truth is that physical security in 2025 is a joke held together with duct tape and wishful thinking.
The Real Skill: Knowing When to Chain
Chaining isn’t just about technical ability. It’s about thinking. It’s about walking into a building and seeing the invisible connections between systems that were never designed to talk to each other but do anyway because some guy in 2011 just wired them to the same controller to save money.
That’s the skill. Not the tool. The tool is just a Flipper Zero and a brain that refuses to think in silos.
I’ve seen people spend weeks trying to brute force a network when the HVAC system was broadcasting its credentials over Sub-GHz the entire time. I’ve seen people try to bypass an RFID reader when the infrared sensor next to it would have let them walk right in if they’d just thought to look.
The best hack isn’t the most complex one. It’s the one where you connect three dumb mistakes that nobody else thought to connect.
A Final Word to the People Who Think They’re Safe
You’re not. Your badge can be cloned in seconds. Your alarm frequency can be captured from the parking lot. Your TV remote is broadcasting its codes to anyone with a $50 device. And none of these systems talk to each other in a way that would catch the chain.
That’s not paranoia. That’s just Tuesday.
The systems were never designed to defend against someone who thinks laterally. They were designed to defend against someone who thinks like a burglar from 1995. And that’s the gap I live in. That’s the gap I’ve always lived in.
So the next time you badge into your office and feel safe, just remember: the door you walked through, the alarm that didn’t ring, and the lights that turned on automatically… they’re all just waiting for someone who knows how to chain them together.
And that someone might already be in the building.
If this kind of thinking speaks to you, and you want to go deeper than what the official docs will ever show you, I put together a couple of things that might interest you. No fluff. No corporate nonsense. Just the stuff that actually works.
The Flipper Zero Black Book 2026: 100+ Tricks & Payloads They Don’t Put in the Docs
Top comments (0)