What looks like a kid’s toy at first glance is actually a compact yet powerful hacking tool that’s making waves in the cybersecurity community. The emergence of Flipper Zero has raised concerns about the potential ease with which any individual can exploit a variety of devices with weak security. Surprisingly, it remains legal and may be purchased online by anyone, anywhere. However, the controversy surrounding it caused shipments to be seized in the US and Brazil, and to get banned on Amazon. So, what makes it so unique?
Flipper Zero is a pocket-sized device designed to emulate various wireless communication protocols, such as RFID, NFC, and Bluetooth. Simply put, it can read and interfere with wireless devices as well as act as one, such as a TV remote or a USB keyboard. However, the reason for concern is not only its potential misuse. It’s possible to replicate Flipper functionality with off-the-shelf components which have always been available for purchase – such as Raspberry Pi or the USB Rubber Ducky – but this technology has never been so user-friendly and ready to use. This open-source device, which comes in a compact build reminiscent of the “Tamagotchi” digital pet toy from the early 2000s, is in fact versatile hacking device with an advanced user interface.
Flipper has sparked debates about the ethical implications of such a powerful tool being readily available to the public. There have been numerous viral videos where Flipper was used to alter gas station signs, trigger announcements in stores, and control wireless projectors. It has been used to get into buildings, open car gates, copy remote control signals and turn off screens in shopping malls and restaurants.
This is how it works. Flipper’s functionality allows it to interact with several signal types:
- Near field communication (NFC) signals, used in bank cards and building access cards.
- 125kHz RFID, used in older proximity cards and animal microchips use this frequency.
- Infrared, used in many remote controls.
- Sub-1 GHz, commonly used in garage door remotes and remote keyless systems.
To read a wireless signal, the user needs to hold the Flipper device in proximity to the source of the signal, use the buttons to select the program which corresponds to the signal type, and select “Read”. Flipper will then store the signal in its memory, allowing you to emulate it. You may now have a single key for your air conditioner, garage door, and TV.
But Flipper Zero has also been seen to emulate credit cards (magnetic stripes), hotel cards, copy car keys, and unlock password-protected phones on TikTok, with videos going viral and getting taken down every day. These attacks often utilize custom scripts or added features – therefore, additional technical development is necessary to break into a more complicated system when using a tool such as Flipper. Moreover, nearly all demonstrated attacks have only been successful against primitive or poorly protected devices.
We asked Riscure’s Security Analyst Jetse Brouwer what he thinks about Flipper Zero. Here’s what he told us:
“It’s a great conversation starter as it raises the awareness of such attacks in the general public who are mostly unfamiliar with device vulnerabilities. It can also serve as a great educational tool for developers that are just getting started with pen testing. However, I don’t see immediate security risks for consumers as long as they keep their firmware up to date and ensure the physical safety of the device. Device manufacturers keep on advancing their security measures and the vulnerabilities are found in the lab – with much more advanced and specialized testing setups”.
While most consumer devices are well-protected against Flipper-like attacks, this device indeed offers an opportunity to discover what still remains a potential target. Flipper Zero can be used to break into devices with zero level of security. While traditionally Riscure shows ways and means to break much more robust implementations, we should not forget that sooner rather than later any attack method becomes accessible to wider audiences. What is now on the edge of the security expertise in 5-10 years becomes common knowledge. Making sure that your development is protected from advanced threats of today means that tomorrow there are fewer chances for it to be broken by a simple-but-smart off-the-shelf security toy.