Wireless signals are everywhere. Phones, Wi-Fi networks and bank cards are just a few technologies that use wireless signals to communicate. Hacking them typically requires some cybersecurity knowledge, but Flipper Zero makes it a cinch.
Flipper Zero is a toy-like portable hacking tool. The multi-tool is marketed to "geeks," red team hackers and pen testers to expose vulnerabilities in the world around them, like a cybersecurity X-ray. The tool is open source and completed a successful Kickstarter in 2020.
The tool gained popularity on TikTok when it appeared in a flurry of videos from hackers and script kiddies playing pranks in public. In the videos, hackers turn off the electronic menus at fast food restaurants, remotely open the charging ports of strangers' Teslas and even change the gas prices on gas station displays. The hackers simply point the device at the target system like a remote control, press a button or two, and the target screen turns off, the display numbers change or the charging port opens.
These videos make Flipper Zero out to be a skeleton key for IoT, but this is an exaggeration. Most of the videos were likely staged, requiring significant preparation to pull off.
The gadget is still a powerful and intuitive tool to investigate cybersecurity in the physical world. Although it can't manipulate every wireless device in its path, it can read the signals wireless devices emit. With this capability, it can reveal a significant amount of information about a spectrum of electronic devices, even if it can't really change gas prices at the click of a button. For example, it can do the following:
- Read a stranger's car tire pressure sensor data.
- Read the body temperature of a dog with an animal microchip embedded in it.
- Detect the signals an iPhone sends out for facial recognition and the frequency of those emissions.
- Read and record the signal from a garage door opener.
- Clone a building entry card.
How does Flipper Zero work?
Flipper Zero contains a few different antennas. These help it capture, store, clone and emulate wireless signals. It can interact with several signal types:
- Near field communication (NFC). Bank cards and building access cards use NFC signals.
- 125kHz RFID. Older proximity cards and animal microchips use this frequency.
- Infrared. Many remotes use infrared signals.
- Sub-1 GHz. Garage door remotes and remote keyless systems use Sub-1 GHz frequencies to communicate.
To read a wireless signal, the user holds Flipper Zero up to source of the signal, selects the program that corresponds to the signal type, and selects "Read." Flipper Zero then saves the signal type to memory. The user can access the saved signal and emulate it. Flipper Zero doesn't allow users to save and emulate NFC bank cards, but it can read them.
Part of Flipper Zero's appeal is its versatility. Three simple hacks showcase Flipper Zero's capabilities via radio signal communication and other means. It can unlock a car that uses a radio fob, control a TV that uses infrared and create a two-factor authentication token for websites.
Flipper Zero also features the following:
- 18 general purpose input/output connectors that connect it to other hardware devices.
- A USB 2.0 port, type C, to connect with computers.
- iButton 1-Wire support. iButtons are often used in asset control and tracking.
- Removable storage in the form of an SD card.
- An LCD display screen and five-button control pad.
- The FreeRTOS embedded operating system for microcontrollers.
Is Flipper Zero a serious security threat?
Flipper Zero has potential to be a security threat in the wrong hands. However, it is not inherently dangerous. To engineer a security attack would take a fair amount of planning and intent. Flipper Zero is better suited to light pen testing activities and general reconnaissance to gain awareness of the digital environment. For novice hackers, pen testing is the act of intentionally finding vulnerabilities in a computer system to fix the vulnerabilities and make the system stronger.
Flipper Zero is a learning tool primarily, designed to make cybersecurity information more accessible and change the way users think of the digital devices around them. Much of the technology and techniques Flipper Zero uses have been around for years. Flipper Zero just makes them slightly more accessible and user friendly.
Is it legal?
Flipper Zero reported on its social media channels that U.S. Customs and Border Patrol seized a shipment of Flipper Zeros in September 2022. Despite this event, the device is legal. It simply has the potential to be used illegally.
Flipper Zero shouldn't be used to tamper with devices or systems that the user doesn't have permission to access.
The device's firmware prevents users from transmitting frequencies that are banned in the country where they are using it.
Flipper Zero is banned on Amazon because it was tagged as a card-skimming device. There is a third-party Flipper locator application that lets people monitor Flipper restocks by country and vendor.
Alternatives to Flipper Zero
Flipper Zero is just one hacking gadget. While Flipper Zero can perform a range of actions, there are many products and software that can also perform one or several of those same functions:
- The USB Rubber Ducky. The USB Rubber Ducky can perform BadUSB attacks and run ducky scripts.
- ChameleonMini. The ChameleonMini is a portable tool for NFC security analysis.
- Smartphones. Smartphones can read and store NFC codes.
- Raspberry Pi. Raspberry Pi can be set up as an NFC signal reader.
- The Wi-Fi Pineapple. Both Flipper Zero and the Wi-Fi Pineapple can be used for pen testing wireless networks.
- John the Ripper. This tool does password-cracking attacks, like Flipper Zero does with its BadUSB function.
Cost of Flipper Zero
The gadget was originally sold for $169 by the manufacturer. However, the device is often sold out and only available through third-party vendors, increasing the price. There are also many scammers that claim to be selling Flipper Zero when they aren't. It's best to only buy Flipper Zero through a reputable distributor.
Flipper Zero generally works on devices and systems that were vulnerable to begin with. Learn how to fix five of the most common cybersecurity vulnerabilities to prevent data loss and hacking.